cleantalk
Vulnerabilities and Security Researches

Page-list, CVE-2026-9008

CVE, Research URL

CVE-2026-9008

Home page URL

Security reports for Page-list

Application

Page-list

Published on
Jun 06, 2026
Research Description
The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / [pagelistext] shortcode) accepting attacker-controlled post_status, post_type, and show_meta_key attributes and passing them directly into get_pages() and get_post_meta() with no capability check verifying that the rendering user is permitted to read the matched objects. When the current post has no child pages, the shortcode re-issues the query with child_of => 0, broadening it to every page on the site matching the supplied status/type. This makes it possible for authenticated attackers, with contributor-level access and above, to disclose the titles, body content/excerpts, and arbitrary post meta of unrelated private and draft pages by inserting the shortcode into a contributor-authored draft and previewing it.
Affected versions
max 6.3.
Status
vulnerable
Previous vulnerability researches
Page-list (CVE-2024-47382) , Oct 03, 2024
Page-list (CVE-2026-9008) , Jun 07, 2026
Page-list (CVE-2022-4485) , Jun 07, 2024
Page-list (CVE-2025-58030) , Oct 11, 2025
New vulnerability
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator (CVE-2026-8976) , Jun 07, 2026
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg (CVE-2026-7796) , Jun 07, 2026
Backup, Restore and Migrate WordPress Sites With the XCloner Plugin (CVE-2026-48965) , Jun 07, 2026
WP User Manager – User Profile Builder & Membership (CVE-2026-9290) , Jun 07, 2026
Page-list (CVE-2026-9008) , Jun 07, 2026