Information Exposure Vulnerability in List Category Posts Plugin for WordPress
CVE-2025-11377

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: List Category Posts
Vendor: CVE Published:; 1 November 2025

What is CVE-2025-11377?

The List Category Posts plugin for WordPress is susceptible to information exposure, allowing authenticated users with contributor access or higher to bypass restrictions. This vulnerability arises through the 'catlist' shortcode, which does not sufficiently limit access to posts marked as password protected, private, or in draft mode. Consequently, attackers can exploit this flaw to access sensitive content that is not meant for their viewing. It is crucial for website administrators to assess their installations and apply any available updates to prevent potential unauthorized access to sensitive information.

Affected Version(s)

List category posts * <= 0.92.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 1, 2025
Vulnerability Reserved
Oct 6, 2025

Credit

Athiwat Tiprasaharn

JSON