CVE-2026-1060 Overview
The WP Adminify plugin for WordPress contains a Sensitive Information Exposure vulnerability in all versions up to and including 4.0.7.7. The vulnerability exists in the /wp-json/adminify/v1/get-addons-list REST API endpoint, which is registered with permission_callback set to __return_true. This misconfiguration allows unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs without requiring any authentication.
Critical Impact
Unauthenticated attackers can enumerate plugin addons, installation status, and version information, potentially enabling targeted attacks against known vulnerable components.
Affected Products
- WP Adminify plugin for WordPress versions up to and including 4.0.7.7
Discovery Timeline
- January 28, 2026 - CVE-2026-1060 published to NVD
- January 29, 2026 - Last updated in NVD database
Technical Details for CVE-2026-1060
Vulnerability Analysis
This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The root issue stems from improper access control implementation on a REST API endpoint that exposes sensitive plugin configuration data.
The vulnerable endpoint /wp-json/adminify/v1/get-addons-list was designed to provide addon management functionality but was incorrectly configured to be publicly accessible. When the endpoint is queried, it returns detailed information about all available addons including their installation status, version numbers, and download URLs. This information disclosure can be leveraged by attackers to identify installed components and their versions, facilitating reconnaissance for further attacks.
The vulnerability is exploitable over the network without any user interaction or authentication requirements, making it particularly concerning for WordPress sites running the affected plugin versions.
Root Cause
The vulnerability originates from the REST API endpoint registration code located in the WordPress Adminify Addons Code. The endpoint was registered with permission_callback set to __return_true, which is a WordPress function that always returns true, effectively bypassing all authentication and authorization checks.
This is a common misconfiguration in WordPress plugin development where developers inadvertently expose internal functionality to unauthenticated users by failing to implement proper permission callbacks.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can simply send an HTTP GET request to the vulnerable REST API endpoint on any WordPress site running the affected plugin version. The response will contain sensitive information about installed addons, their versions, and download locations.
This reconnaissance data can be used to identify vulnerable components within the WordPress installation, determine the site's attack surface, and plan targeted attacks against known vulnerabilities in specific addon versions.
Detection Methods for CVE-2026-1060
Indicators of Compromise
- Unusual HTTP requests to /wp-json/adminify/v1/get-addons-list endpoint from external IP addresses
- Unexpected access patterns to WordPress REST API endpoints from unauthenticated users
- Multiple enumeration requests targeting WordPress plugin API endpoints
- Log entries showing successful responses to addon list queries from suspicious sources
Detection Strategies
- Monitor web server access logs for requests to /wp-json/adminify/v1/get-addons-list from unauthenticated sources
- Implement Web Application Firewall (WAF) rules to alert on or block unauthorized REST API enumeration attempts
- Review WordPress audit logs for unusual REST API activity patterns
- Configure intrusion detection systems to flag reconnaissance attempts against plugin endpoints
Monitoring Recommendations
- Enable detailed logging for WordPress REST API endpoints to capture request metadata
- Set up alerts for bulk or rapid requests to plugin management endpoints
- Monitor for sequential enumeration patterns that may indicate automated scanning tools
- Implement rate limiting on REST API endpoints to slow down enumeration attempts
How to Mitigate CVE-2026-1060
Immediate Actions Required
- Update WP Adminify plugin to the latest patched version immediately
- Review web server logs for evidence of prior exploitation attempts
- Audit other installed plugins for similar unauthenticated endpoint vulnerabilities
- Consider temporarily disabling the REST API endpoint if immediate patching is not possible
Patch Information
The vulnerability has been addressed in a security update. The fix can be reviewed in WordPress Changeset #3442928. Site administrators should update the WP Adminify plugin through the WordPress dashboard or by manually downloading the latest version from the WordPress plugin repository.
Additional vulnerability details and remediation guidance are available in the Wordfence Vulnerability Report.
Workarounds
- Implement server-level access controls to restrict access to the vulnerable REST API endpoint
- Use a Web Application Firewall to block unauthenticated requests to /wp-json/adminify/v1/get-addons-list
- Consider disabling the WP Adminify plugin until the patched version can be applied
- Restrict REST API access to authenticated users only through WordPress configuration or security plugins
# Apache .htaccess rule to block access to the vulnerable endpoint
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/adminify/v1/get-addons-list [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
