PatchSiren cyber security CVE debrief
CVE-2026-12434 fernandobt CVE debrief
The List category posts plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 0.95.0 via the sanitize_status. This makes it possible for authenticated attackers, with contributor-level access and above, to extract titles, full content, excerpts, dates, authors, and custom-field metadata of other users' pending-review, scheduled, and trashed posts by embedding a crafted [catlist] shortcode in their own draft and previewing it. This vulnerability is a bypass of the incomplete fix introduced for CVE-2025-11377 in version 0.93.0.
- Vendor
- fernandobt
- Product
- List category posts
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Authenticated attackers with contributor-level access and above in WordPress installations using the List category posts plugin versions up to and including 0.95.0. These attackers can exploit this vulnerability to extract sensitive information from other users' posts that are in pending-review, scheduled, or trashed status, potentially impacting the confidentiality of the information contained within those posts.
Technical summary
The List category posts plugin for WordPress is vulnerable to Sensitive Information Exposure due to inadequate sanitization in the sanitize_status function. An authenticated attacker with contributor-level access can exploit this by embedding a crafted [catlist] shortcode in their draft, allowing them to extract sensitive information such as titles, full content, excerpts, dates, authors, and custom-field metadata from other users' posts that are in pending-review, scheduled, or trashed status.
Defensive priority
Medium priority due to the requirement for authenticated access and the potential for significant information disclosure.
Recommended defensive actions
- Update the List category posts plugin to a version beyond 0.95.0.
- Restrict contributor-level access and above to only trusted users.
- Monitor for suspicious shortcode usage in drafts.
- Implement additional logging and monitoring for sensitive information access.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-16T04:17:15.847Z and has not been modified since then. The vulnerability was reported by [email protected]. Evidence is limited to the CVE record and NVD detail page. Defenders should verify the affected plugin versions and review their installations for potential exposure.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T04:17:15.847Z and has not been modified since then.