Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
WordPress ActivityPub Plugin Allows Access to Private Posts
CVE-2026-4338
Summary
The WordPress ActivityPub plugin has a security issue that allows anyone, even without a login, to view posts that are not yet published. This means sensitive or draft content might be exposed. Update the plugin to version 8.0.2 or later to fix this vulnerability.
Original title
The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts
Original description
The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts
Published: 8 Apr 2026 · Updated: 10 Apr 2026 · First seen: 8 Apr 2026