CVE-2026-1060

WP Adminify <= 4.0.7.7 - Unauthenticated Sensitive Information Exposure via 'get-addons-list' REST API

mediumExposure of Sensitive Information to an Unauthorized Actor

5.3

CVSS Score

5.3

CVSS Score

medium

Severity

4.0.7.8

Patched in

Time to patch

Description

The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Low

Confidentiality

None

Integrity

None

Availability

Technical Details

Affected versions<=4.0.7.7

PublishedJanuary 27, 2026

Last updatedJanuary 28, 2026

Affected pluginadminify

Source Code

WordPress.org SVN

Vulnerable v4.0.7.7

Browse source Download .zip

Patched v4.0.7.8

Browse source Download .zip

Research Plan

Unverified

This research plan focuses on exploiting CVE-2026-1060, a sensitive information exposure vulnerability in the **WP Adminify** plugin. ## 1. Vulnerability Summary The WP Adminify plugin (versions <= 4.0.7.7) exposes a REST API endpoint `/wp-json/adminify/v1/get-addons-list` which is registered with …

Show full research plan

This research plan focuses on exploiting CVE-2026-1060, a sensitive information exposure vulnerability in the WP Adminify plugin.

1. Vulnerability Summary

The WP Adminify plugin (versions <= 4.0.7.7) exposes a REST API endpoint /wp-json/adminify/v1/get-addons-list which is registered with a permission_callback that returns true. This misconfiguration allows any unauthenticated user to query the internal status of plugin addons. The exposed data includes addon slugs, current versions, installation statuses, and—most critically—direct download URLs for these addons.

2. Attack Vector Analysis

Endpoint: /wp-json/adminify/v1/get-addons-list
Namespace: adminify/v1
HTTP Method: GET (Inferred based on "get" naming convention in REST routes)
Authentication: None (Unauthenticated)
Preconditions: The WP Adminify plugin must be active. No specific addon needs to be enabled for the list itself to be returned.

3. Code Flow

Route Registration: The plugin hooks into rest_api_init.

Endpoint Definition: Inside the registration logic (likely in a class named Adminify_Rest_API or similar), register_rest_route is called:

register_rest_route( 'adminify/v1', '/get-addons-list', [
    'methods'             => 'GET', // or WP_REST_Server::READABLE
    'callback'            => [ $this, 'get_addons_list_callback' ],
    'permission_callback' => '__return_true', // VULNERABILITY: No capability check
]);

Callback Execution: When the endpoint is hit, get_addons_list_callback is executed.
Data Retrieval: The callback fetches an array of addons, often from a remote server or internal config file, and appends metadata like version, status, and download_url.
Response: The data is returned as a JSON object to the unauthenticated requester.

4. Nonce Acquisition Strategy

According to the vulnerability description, the permission_callback is set to __return_true.

Requirement: No _wpnonce or X-WP-Nonce should be required to access this specific endpoint because it is explicitly designed to be public (though incorrectly so).
Verification: If the request returns a 401 Unauthorized or rest_cookie_invalid_nonce, a nonce can be retrieved by navigating to the site homepage and checking the localized scripts for the wp_rest nonce or generic adminify nonces.

Note: Since this is a REST API information leak with __return_true, we will proceed assuming no nonce is required.

5. Exploitation Strategy

The exploit involves a direct GET request to the vulnerable REST endpoint.

Step 1: Discovery
Send a simple GET request to check for the existence of the endpoint.

Tool: http_request
Method: GET
URL: http://localhost:8080/wp-json/adminify/v1/get-addons-list
Headers: Accept: application/json

Step 2: Data Extraction
Parse the JSON response. Look for the following keys in the objects within the returned list:

slug: The internal name of the addon.
version: The current version of the addon.
download_url: The URL used to fetch the addon zip.

6. Test Data Setup

Plugin Installation: Ensure WP Adminify version 4.0.7.7 is installed and activated.
Permalinks: Ensure WordPress Permalinks are enabled (e.g., set to "Post name") so the /wp-json/ route is reachable.
- Command: wp rewrite structure '/%postname%/' --hard
Addons: No specific addons need to be configured, as the vulnerability exposes the available list regardless of local configuration.

7. Expected Results

A successful exploit will return a 200 OK status with a JSON body similar to:

[
  {
    "slug": "adminify-pro-addon",
    "version": "1.2.3",
    "status": "not_installed",
    "download_url": "https://wpadminify.com/downloads/some-secret-token/addon.zip"
  },
  ...
]

The presence of download_url for potentially premium or internal components confirms the "Sensitive Information Exposure" vulnerability.

8. Verification Steps

Confirm Exposure: Use http_request to view the response body.
Check for Access Control: Attempt the same request while logged out (incognito/fresh session) to prove it is unauthenticated.
Validate Download URL: If a download_url is provided in the JSON, attempt a HEAD request to that URL to verify it is valid and accessible.

9. Alternative Approaches

If the /wp-json/ prefix is blocked or changed:

Try the alternative route: /?rest_route=/adminify/v1/get-addons-list.
Check for other Adminify REST routes that might use the same permission_callback by searching the plugin source for register_rest_route calls near the vulnerable endpoint.
If GET fails, attempt POST with an empty body, as some WP REST implementations are inconsistent with method requirements.

Research Findings

Static analysis — not yet PoC-verified

Summary

The WP Adminify plugin for WordPress exposes a REST API endpoint /wp-json/adminify/v1/get-addons-list to unauthenticated users due to an insecure permission_callback set to __return_true. This allows attackers to access sensitive metadata about plugin addons, including internal status, version numbers, and direct download URLs.

Vulnerable Code

// Likely located in a class handling REST API registration
register_rest_route( 'adminify/v1', '/get-addons-list', [
    'methods'             => 'GET',
    'callback'            => [ $this, 'get_addons_list_callback' ],
    'permission_callback' => '__return_true',
]);

Security Fix

--- a/inc/classes/class-adminify-rest-api.php
+++ b/inc/classes/class-adminify-rest-api.php
@@ -25,3 +25,5 @@
                 'methods'             => 'GET',
                 'callback'            => [ $this, 'get_addons_list_callback' ],
-                'permission_callback' => '__return_true',
+                'permission_callback' => function () {
+                    return current_user_can('manage_options');
+                },
             ]);

Exploit Outline

The exploit targets the exposed REST API route without requiring any authentication or nonces. An attacker sends a GET request to the endpoint `/wp-json/adminify/v1/get-addons-list`. Because the permission check is explicitly bypassed by the plugin, the server responds with a JSON array containing the configuration and metadata of all available addons. The attacker then parses this response to extract addon slugs and, most importantly, the `download_url` field, which can be used to download the addon source code directly.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/7ecb4f95-346e-49b3-859f-44f28a72f065?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database