CVE-2026-4338
Published: 08 April 2026
Summary
CVE-2026-4338 is a high-severity an unspecified weakness vulnerability in Automattic Activitypub. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-15 (Information Output Filtering).
Deeper analysis
The vulnerability CVE-2026-4338, published on 2026-04-08T07:16:22.400, affects the ActivityPub WordPress plugin in versions before 8.0.2. It arises from improper filtering of posts intended for display, enabling unauthenticated users to access drafts, scheduled, or pending posts that should remain private. The issue carries a CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with network vector, low complexity, no privileges or user interaction required, and no effect on integrity or availability. It maps to NVD-CWE-noinfo.
Attackers require no authentication and can exploit this remotely over the network with minimal effort. Successful exploitation allows them to retrieve sensitive unpublished content, such as draft posts, scheduled publications, or pending reviews, potentially leaking confidential business information, personal data, or pre-release material hosted on vulnerable WordPress sites using the plugin.
The WPScan advisory (https://wpscan.com/vulnerability/50f68395-72fc-4f99-8e6d-6aa90cc640b5/) confirms the flaw and advises upgrading to ActivityPub plugin version 8.0.2 or later, which introduces proper post filtering to limit visibility to published content only. No additional workarounds or patch details are provided in the reference.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20058
Vulnerability details
The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin enables remote unauthenticated access to private content via improper post filtering, directly mapping to exploitation of public-facing applications for data access.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations to prevent unauthenticated users from accessing unpublished drafts, scheduled, or pending posts.
Filters information output to block display of sensitive unpublished post content to unauthenticated remote users.
Controls designation and review of publicly accessible content to ensure drafts and pending posts are not exposed publicly.