CVE-2026-12434 Overview
CVE-2026-12434 is a sensitive information exposure vulnerability in the List Category Posts plugin for WordPress. The flaw affects all plugin versions up to and including 0.95.0 and stems from improper authorization in the sanitize_status function [CWE-862]. Authenticated attackers with contributor-level access can embed a crafted [catlist] shortcode in a draft and preview it to extract non-public post data. Exposed data includes titles, full content, excerpts, dates, authors, and custom-field metadata of other users' pending-review, scheduled, and trashed posts. The issue is an incomplete-fix bypass of CVE-2025-11377, which was addressed in version 0.93.0.
Critical Impact
Contributor-level users can read pending, scheduled, and trashed posts belonging to other authors, exposing unpublished editorial content and custom-field metadata.
Affected Products
- WordPress List Category Posts plugin versions up to and including 0.95.0
- WordPress sites permitting contributor-level or higher user registration
- WordPress installations relying on the prior CVE-2025-11377 fix in version 0.93.0
Discovery Timeline
- 2026-07-16 - CVE-2026-12434 published to NVD
- 2026-07-16 - Last updated in NVD database
Technical Details for CVE-2026-12434
Vulnerability Analysis
The List Category Posts plugin exposes a [catlist] shortcode that renders lists of posts based on user-supplied parameters. The sanitize_status routine in include/lcp-catlist.php fails to restrict which post statuses a contributor can query through the shortcode. When a contributor previews a draft containing a crafted shortcode, the plugin executes the query in the author's session context and returns posts in pending, future, and trash states. This bypasses WordPress's standard capability checks that would otherwise prevent contributors from viewing other authors' unpublished work. The returned fields include the full post body, excerpts, timestamps, author identifiers, and custom-field metadata.
Root Cause
The root cause is missing authorization in sanitize_status [CWE-862]. The previous fix for CVE-2025-11377 attempted to restrict non-public statuses but did not account for all shortcode parameter combinations that reach the query builder in lcp-parameters.php. Contributors retain the ability to specify statuses that the plugin then honors when building the underlying WP_Query.
Attack Vector
Exploitation requires an authenticated account with contributor privileges. The attacker creates a draft post, inserts a [catlist] shortcode with parameters targeting non-public statuses and custom fields, then invokes the preview action. The rendered preview returns data from other authors' non-public posts, which the attacker reads directly from the browser. No user interaction from an administrator is required, and no additional privileges are needed. Technical details are documented in the Wordfence Vulnerability Report and the WordPress plugin source.
Detection Methods for CVE-2026-12434
Indicators of Compromise
- Draft or auto-draft posts authored by contributor accounts containing [catlist] shortcodes referencing status, customfield_name, or customfield_value parameters
- Preview requests (preview=true or preview_id= in URL) from contributor sessions returning content lengths inconsistent with the visible draft body
- Access log entries showing repeated GET requests to preview endpoints from the same low-privilege user
Detection Strategies
- Audit the wp_posts table for drafts containing the string [catlist combined with status= values such as pending, future, or trash
- Correlate WordPress user role data with preview request patterns to identify contributors issuing an abnormal volume of preview actions
- Review plugin activation inventory to identify sites running List Category Posts 0.95.0 or earlier
Monitoring Recommendations
- Enable WordPress audit logging for post preview events and shortcode rendering tied to contributor accounts
- Alert on new contributor account creation followed by rapid draft-and-preview activity
- Monitor egress from the WordPress host for content matching known unpublished post fingerprints
How to Mitigate CVE-2026-12434
Immediate Actions Required
- Inventory all WordPress installations and identify sites running List Category Posts version 0.95.0 or earlier
- Update the plugin to the fixed release referenced in the WordPress code changeset
- Review contributor accounts for recent draft-and-preview activity and remove untrusted contributor accounts
Patch Information
The vendor addressed the incomplete fix from CVE-2025-11377 in a subsequent release documented in the WordPress plugin repository. Administrators should apply the update referenced in the WordPress plugin changeset and validate the patched files against include/lcp-catlist.php and include/lcp-parameters.php.
Workarounds
- Deactivate the List Category Posts plugin until a patched version is applied
- Restrict contributor role assignments and disable open user registration on affected sites
- Use a web application firewall rule to block preview requests containing [catlist] shortcodes with status=pending, status=future, or status=trash parameters
# Example WP-CLI command to identify vulnerable installations
wp plugin get list-category-posts --field=version
wp plugin deactivate list-category-posts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

