Page-list <= 6.2 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure via Shortcode Attributes
CVE-2026-9008

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Page-list
Vendor: CVE Published:; 6 June 2026

What is CVE-2026-9008?

The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / [pagelistext] shortcode) accepting attacker-controlled post_status, post_type, and show_meta_key attributes and passing them directly into get_pages() and get_post_meta() with no capability check verifying that the rendering user is permitted to read the matched objects. When the current post has no child pages, the shortcode re-issues the query with child_of => 0, broadening it to every page on the site matching the supplied status/type. This makes it possible for authenticated attackers, with contributor-level access and above, to disclose the titles, body content/excerpts, and arbitrary post meta of unrelated private and draft pages by inserting the shortcode into a contributor-authored draft and previewing it.

Affected Version(s)

Page-list 0 <= 6.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/page-list/tags...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 6, 2026
Vulnerability Reserved
May 19, 2026

Credit

darkestmode

CVE-2026-9008 Data

JSON