cleantalk
Vulnerabilities and Security Researches

WP Adminify – WordPress Dashboard Customization | Custom Login | Admin Columns | Dashboard Widget | Media Library Folders, CVE-2026-1060

CVE, Research URL

CVE-2026-1060

Home page URL

Security reports for WP Adminify – WordPress Dashboard Customization | Custom Login | Admin Columns | Dashboard Widget | Media Library Folders

Application

WP Adminify – WordPress Dashboard Customization | Custom Login | Admin Columns | Dashboard Widget | Media Library Folders

Published on
Jan 28, 2026
Research Description
The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs.
Affected versions
max 4.0.7.8.
Status
vulnerable
Previous vulnerability researches
WP Responsive Images (CVE-2026-1557) , Apr 15, 2026
New vulnerability
WP Shortcodes Plugin — Shortcodes Ultimate (CVE-2026-3885) , Apr 16, 2026
Royal Elementor Addons and Templates (CVE-2026-40763) , Apr 16, 2026
WP Google Street View (with 360° virtual tour) & Google maps + Local SEO (CVE-2026-0563) , Apr 16, 2026
AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress (CVE-2026-3614) , Apr 16, 2026
Token of Trust: AI Identity Verification, Age Verification, and KYC (CVE-2026-2834) , Apr 16, 2026