cleantalk
Vulnerabilities and Security Researches

WP Adminify – WordPress Dashboard Customization | Custom Login | Admin Columns | Dashboard Widget | Media Library Folders, CVE-2026-1060

CVE, Research URL

CVE-2026-1060

Home page URL

Security reports for WP Adminify – WordPress Dashboard Customization | Custom Login | Admin Columns | Dashboard Widget | Media Library Folders

Application

WP Adminify – WordPress Dashboard Customization | Custom Login | Admin Columns | Dashboard Widget | Media Library Folders

Published on
Jan 28, 2026
Research Description
The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs.
Affected versions
max 4.0.7.8.
Status
vulnerable
Previous vulnerability researches
Supreme Addons for Beaver Builder – (CVE-2025-3669) , Jul 25, 2025
New vulnerability
WordPress Plugin for Google Maps – WP MAPS (CVE-2025-13364) , Apr 16, 2026
WordPress Plugin for Google Maps – WP MAPS (CVE-2026-39492) , Apr 16, 2026
Tutor LMS – eLearning and online course solution (CVE-2026-0548) , Apr 16, 2026
Tutor LMS – eLearning and online course solution (CVE-2026-40740) , Apr 16, 2026
WP Shortcodes Plugin — Shortcodes Ultimate (CVE-2026-3885) , Apr 16, 2026