PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12434 fernandobt CVE debrief

The List category posts plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 0.95.0 via the sanitize_status. This makes it possible for authenticated attackers, with contributor-level access and above, to extract titles, full content, excerpts, dates, authors, and custom-field metadata of other users' pending-review, scheduled, and trashed posts by embedding a crafted [catlist] shortcode in their own draft and previewing it. This vulnerability is a bypass of the incomplete fix introduced for CVE-2025-11377 in version 0.93.0.

Vendor
fernandobt
Product
List category posts
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Authenticated attackers with contributor-level access and above in WordPress installations using the List category posts plugin versions up to and including 0.95.0. These attackers can exploit this vulnerability to extract sensitive information from other users' posts that are in pending-review, scheduled, or trashed status, potentially impacting the confidentiality of the information contained within those posts.

Technical summary

The List category posts plugin for WordPress is vulnerable to Sensitive Information Exposure due to inadequate sanitization in the sanitize_status function. An authenticated attacker with contributor-level access can exploit this by embedding a crafted [catlist] shortcode in their draft, allowing them to extract sensitive information such as titles, full content, excerpts, dates, authors, and custom-field metadata from other users' posts that are in pending-review, scheduled, or trashed status.

Defensive priority

Medium priority due to the requirement for authenticated access and the potential for significant information disclosure.

Recommended defensive actions

  • Update the List category posts plugin to a version beyond 0.95.0.
  • Restrict contributor-level access and above to only trusted users.
  • Monitor for suspicious shortcode usage in drafts.
  • Implement additional logging and monitoring for sensitive information access.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-16T04:17:15.847Z and has not been modified since then. The vulnerability was reported by [email protected]. Evidence is limited to the CVE record and NVD detail page. Defenders should verify the affected plugin versions and review their installations for potential exposure.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T04:17:15.847Z and has not been modified since then.