CVE-2026-11781
Adminify < 4.2.10 - Contributor+ Sensitive Information Disclosure via Global Search AJAX
Vexday Risk Score
28Low
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Public proof of concept exists, but not yet automated.
CVSS 2.7EPSS 0.2%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
02 Jul 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role (Contributor) to disclose non-public content that WordPress would not otherwise expose to them, such as other authors' unpublished post titles, pending comment content, the site's Adminify WordPress plugin before 4.2.10 inventory, and user account names.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Affected products
Unknown · Adminifypublic PoCs found — 1
cve_referencewpscan.com/vulnerability/0aa18fe0-2d64-45dc-9eab-9587d63853be/unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.