CVE-2026-9013 is a missing authorization vulnerability (CWE-862) in the Bogo WordPress plugin by rocklobsterinc. It affects all versions up to and including 3.9.1. Authenticated attackers with subscriber-level permissions can exploit the bogo_rest_create_post_translation REST endpoint to duplicate posts written in a non-default locale and receive sensitive fields such as title.raw, content.raw, and excerpt.raw of private, draft, or password-protected posts. While subscribers can trigger the endpoint, only contributors and higher roles can read the duplicated sensitive content due to permission restrictions. This vulnerability leads to sensitive information exposure without impacting integrity or availability.

The vulnerability allows unauthorized disclosure of sensitive content from private, draft, or password-protected posts in WordPress sites using the Bogo plugin. Attackers with subscriber-level access can trigger duplication of posts in non-default locales and extract raw content fields, potentially exposing confidential information. There is no impact on data integrity or availability. The CVSS v3.1 base score is 4.3, indicating a medium severity level.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch is currently documented. Until a patch is available, restrict subscriber and contributor access where possible and monitor for unusual use of the bogo_rest_create_post_translation endpoint. Review and limit permissions for translation-related REST API endpoints to prevent unauthorized duplication and data exposure.