The WP Adminify plugin for WordPress, widely used for white labeling, admin menu editing, and login customization, suffers from a sensitive information exposure vulnerability identified as CVE-2026-1060. This vulnerability arises because the REST API endpoint /wp-json/adminify/v1/get-addons-list is registered with a permission callback set to __return_true, effectively disabling any authentication or authorization checks. As a result, any unauthenticated user can query this endpoint and retrieve detailed information about all available addons, including which are installed, their exact version numbers, and download URLs. This exposure falls under CWE-200, indicating that sensitive information is disclosed to unauthorized actors. The CVSS 3.1 base score is 5.3 (medium severity), reflecting that the vulnerability is remotely exploitable without authentication or user interaction, but only impacts confidentiality without affecting integrity or availability. Although no exploits have been reported in the wild, the leaked information can be leveraged by attackers to identify vulnerable plugin versions or plan further attacks such as targeted exploits or social engineering. The vulnerability affects all versions up to and including 4.0.7.7 of the WP Adminify plugin. Since WordPress is a popular CMS in Europe, and WP Adminify is used by organizations seeking customized admin interfaces, this vulnerability presents a meaningful risk if left unaddressed.

For European organizations, the exposure of addon details can facilitate reconnaissance by threat actors, enabling them to identify outdated or vulnerable plugin versions and tailor attacks accordingly. This can increase the risk of subsequent exploitation, such as privilege escalation or site compromise, especially if the exposed versions have known exploits. While the vulnerability itself does not allow direct modification or denial of service, the information leakage undermines confidentiality and can weaken the overall security posture. Organizations in sectors with high regulatory requirements for data protection, such as finance, healthcare, and government, may face compliance risks if attackers leverage this information to breach systems. Additionally, the exposure of download URLs could allow attackers to distribute malicious versions or conduct supply chain attacks if users rely on these URLs without verification. Given the widespread use of WordPress in Europe, the vulnerability could affect a broad range of organizations, from SMEs to large enterprises, increasing the attack surface.

Immediate mitigation should focus on restricting access to the vulnerable REST API endpoint. This can be achieved by implementing authentication and authorization checks at the web server or application firewall level to block unauthenticated requests to /wp-json/adminify/v1/get-addons-list. Organizations should monitor API access logs for unusual or repeated requests to this endpoint, which may indicate reconnaissance activity. Until an official patch is released, consider disabling or uninstalling the WP Adminify plugin if feasible, or replacing it with alternative plugins that do not expose sensitive information. Once a patch or updated plugin version is available, apply it promptly to remove the vulnerability. Additionally, conduct regular plugin audits to identify and update outdated components, and educate administrators about the risks of exposing internal plugin data. Employing a Web Application Firewall (WAF) with custom rules to detect and block suspicious REST API calls can provide an additional layer of defense.