Cyber Resilience

CVE-2026-4338

High

Published: 08 April 2026

Published
08 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0002 6.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4338 is a high-severity an unspecified weakness vulnerability in Automattic Activitypub. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-15 (Information Output Filtering).

Deeper analysis

The vulnerability CVE-2026-4338, published on 2026-04-08T07:16:22.400, affects the ActivityPub WordPress plugin in versions before 8.0.2. It arises from improper filtering of posts intended for display, enabling unauthenticated users to access drafts, scheduled, or pending posts that should remain private. The issue carries a CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with network vector, low complexity, no privileges or user interaction required, and no effect on integrity or availability. It maps to NVD-CWE-noinfo.

Attackers require no authentication and can exploit this remotely over the network with minimal effort. Successful exploitation allows them to retrieve sensitive unpublished content, such as draft posts, scheduled publications, or pending reviews, potentially leaking confidential business information, personal data, or pre-release material hosted on vulnerable WordPress sites using the plugin.

The WPScan advisory (https://wpscan.com/vulnerability/50f68395-72fc-4f99-8e6d-6aa90cc640b5/) confirms the flaw and advises upgrading to ActivityPub plugin version 8.0.2 or later, which introduces proper post filtering to limit visibility to published content only. No additional workarounds or patch details are provided in the reference.

EU & UK References

Vulnerability details

The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in public-facing WordPress plugin enables remote unauthenticated access to private content via improper post filtering, directly mapping to exploitation of public-facing applications for data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

Affected Assets

automattic
activitypub
≤ 8.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to prevent unauthenticated users from accessing unpublished drafts, scheduled, or pending posts.

prevent

Filters information output to block display of sensitive unpublished post content to unauthenticated remote users.

prevent

Controls designation and review of publicly accessible content to ensure drafts and pending posts are not exposed publicly.

References