Vulnerabilities and security researches forpage-list page-list

Jun 07, 2026

CVE, Research URL: CVE-2026-9008
Home page URL: Security reports for Page-list
Application: Page-list
Date: Jun 06, 2026
Research Description: The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / [pagelistext] shortcode) accepting attacker-controlled post_status, post_type, and show_meta_key attributes and passing them directly into get_pages() and get_post_meta() with no capability check verifying that the rendering user is permitted to read the matched objects. When the current post has no child pages, the shortcode re-issues the query with child_of => 0, broadening it to every page on the site matching the supplied status/type. This makes it possible for authenticated attackers, with contributor-level access and above, to disclose the titles, body content/excerpts, and arbitrary post meta of unrelated private and draft pages by inserting the shortcode into a contributor-authored draft and previewing it.
Affected versions: max 6.3.
Status: vulnerable

Oct 11, 2025

CVE, Research URL: CVE-2025-58030
Home page URL: Security reports for Page-list
Application: Page-list
Date: Sep 23, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly Page-list allows Stored XSS. This issue affects Page-list: from n/a through 5.7.
Affected versions: max 5.8.
Status: vulnerable

Oct 03, 2024

CVE, Research URL: CVE-2024-47382
Home page URL: Security reports for Page-list
Application: Page-list
Date: Oct 05, 2024
Research Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Webvitaly Page-list allows Stored XSS.This issue affects Page-list: from n/a through 5.6.
Affected versions: max 5.7.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2022-4485
Home page URL: Security reports for Page-list
Application: Page-list
Date: Jan 23, 2023
Research Description: The Page-list WordPress plugin before 5.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
Affected versions: max 5.3.
Status: vulnerable