CVE-2026-1060 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the WP Adminify plugin for WordPress, specifically all versions up to and including 4.0.7.7. The vulnerability arises from the /wp-json/adminify/v1/get-addons-list REST API endpoint, which is registered with a permission_callback set to __return_true. This configuration means that the endpoint does not require any authentication or authorization, allowing any unauthenticated user to query it. When accessed, the endpoint returns a comprehensive list of all available addons for the plugin, including their installation status, version numbers, and download URLs. This information leakage can provide attackers with valuable intelligence about the target environment, such as which plugin components are installed and their versions, potentially revealing outdated or vulnerable components. Although the vulnerability does not directly enable remote code execution or privilege escalation, the exposed data can facilitate reconnaissance and targeted attacks, such as exploiting known vulnerabilities in specific addon versions or crafting social engineering attacks. The CVSS v3.1 base score is 5.3, reflecting a medium severity due to the ease of exploitation (no authentication or user interaction required) but limited impact confined to confidentiality loss without affecting integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability affects all versions of the WP Adminify plugin up to 4.0.7.7, which is used in WordPress environments primarily for white labeling, admin menu editing, and login customization.

The primary impact of CVE-2026-1060 is the unauthorized disclosure of sensitive information about the WP Adminify plugin's addons on affected WordPress sites. This information leakage can aid attackers in several ways: it enables detailed reconnaissance by revealing installed plugin components and their versions, which can be cross-referenced with known vulnerabilities to identify exploitable weaknesses. Attackers may also use the download URLs to obtain plugin files for offline analysis or to craft supply chain attacks. While the vulnerability does not directly compromise site integrity or availability, it lowers the overall security posture by providing attackers with actionable intelligence. Organizations running WordPress sites with this plugin may face increased risk of targeted attacks, including privilege escalation attempts, phishing, or exploitation of other vulnerabilities in the disclosed addons. The impact is more significant for high-value targets such as e-commerce sites, government portals, or enterprises relying on WordPress for critical operations. Additionally, the widespread use of WordPress globally means a large attack surface, increasing the likelihood of opportunistic scanning and exploitation attempts.

To mitigate CVE-2026-1060, organizations should take the following specific actions: 1) Immediately update the WP Adminify plugin to a version where this vulnerability is patched once available; monitor vendor announcements for patches. 2) If no patch is available, restrict access to the /wp-json/adminify/v1/get-addons-list REST API endpoint by implementing authentication or IP-based access controls at the web server or application firewall level. 3) Employ a Web Application Firewall (WAF) with custom rules to block or rate-limit unauthenticated requests to this endpoint. 4) Conduct regular plugin audits to identify and remove unused or outdated plugins and addons, reducing the attack surface. 5) Monitor WordPress logs and REST API access patterns for unusual or unauthorized requests targeting this endpoint. 6) Educate site administrators about the risks of exposing plugin information and encourage minimal plugin usage with strict access controls. 7) Consider disabling the REST API or limiting its exposure where feasible, especially on sites that do not require it for public functionality. These steps go beyond generic advice by focusing on access control and monitoring specific to the vulnerable endpoint and plugin.