CVE-2026-1060

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N                                    

Vulnerability Description

The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs.

Vulnerability Details

Published Date

January 28, 2026

Last Modified

January 29, 2026

CWE ID

CWE-200

Source

NVD

External References

https://plugins.trac.wordpress.org/browser/adminify/tags/4.0.6.1/Libs/Addons.php#L54
https://plugins.trac.wordpress.org/changeset/3442928/
https://www.wordfence.com/threat-intel/vulnerabilities/id/7ecb4f95-346e-49b3-859f-44f28a72f065?source=cve

CVE-2026-1060

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment