CVE-2026-10823: CWE-200 Information Exposure in YMC Filter
A vulnerability in the YMC Filter WordPress plugin before version 3.11.3 allows unauthenticated attackers to access a REST API endpoint without proper authorization. This flaw enables attackers to retrieve titles and content of private, draft, and other non-public posts. The issue arises from missing authorization checks and lack of validation on a user-supplied query parameter.
AI Analysis
Technical Summary
CVE-2026-10823 is an information exposure vulnerability (CWE-200) in the YMC Filter WordPress plugin. Versions prior to 3.11.3 do not properly authorize access to one of their REST API endpoints and fail to validate a user-supplied query parameter. This allows unauthenticated attackers to retrieve sensitive content including private, draft, and other non-public posts via the API.
Potential Impact
The vulnerability exposes potentially sensitive content that should be restricted, including private and draft posts, to unauthenticated users. This can lead to unintended disclosure of confidential or sensitive information managed within the WordPress site.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch information is provided, users should monitor the vendor's communications for updates. Until a fix is available, consider restricting access to the affected REST API endpoint or disabling the YMC Filter plugin if feasible.
CVE-2026-10823: CWE-200 Information Exposure in YMC Filter
Description
A vulnerability in the YMC Filter WordPress plugin before version 3.11.3 allows unauthenticated attackers to access a REST API endpoint without proper authorization. This flaw enables attackers to retrieve titles and content of private, draft, and other non-public posts. The issue arises from missing authorization checks and lack of validation on a user-supplied query parameter.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-10823 is an information exposure vulnerability (CWE-200) in the YMC Filter WordPress plugin. Versions prior to 3.11.3 do not properly authorize access to one of their REST API endpoints and fail to validate a user-supplied query parameter. This allows unauthenticated attackers to retrieve sensitive content including private, draft, and other non-public posts via the API.
Potential Impact
The vulnerability exposes potentially sensitive content that should be restricted, including private and draft posts, to unauthenticated users. This can lead to unintended disclosure of confidential or sensitive information managed within the WordPress site.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch information is provided, users should monitor the vendor's communications for updates. Until a fix is available, consider restricting access to the affected REST API endpoint or disabling the YMC Filter plugin if feasible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- WPScan
- Date Reserved
- 2026-06-04T08:04:38.962Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3e1cac4853345fc15dea58
Added to database: 06/26/2026, 06:31:08 UTC
Last enriched: 06/26/2026, 06:46:02 UTC
Last updated: 06/26/2026, 12:09:36 UTC
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.