← Back

Activitypub

activitypub

Vendor: Automattic • 5 CVEs

CVEs (5)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2026-4338
1Automattic
1Activitypub
Apr 14, 2026
Apr 8, 2026
N/A· v4
7.5 HIGH· v3
N/A· v2
The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts
CVE-2023-5057
1Automattic
1Activitypub
Nov 21, 2024
Oct 16, 2023
N/A· v4
5.4 MEDIUM· v3
N/A· v2
The ActivityPub WordPress plugin before 1.0.0 does not escape user metadata before outputting them in mentions, which could allow users with a role of Contributor and above to perform Stored XSS attacks
CVE-2023-3746
1Automattic
1Activitypub
Apr 23, 2025
Oct 16, 2023
N/A· v4
5.4 MEDIUM· v3
N/A· v2
The ActivityPub WordPress plugin before 1.0.0 does not sanitize and escape some data from post content, which could allow contributor and above role to perform Stored Cross-Site Scripting attacks
CVE-2023-3707
1Automattic
1Activitypub
Apr 23, 2025
Oct 16, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The ActivityPub WordPress plugin before 1.0.0 does not ensure that post contents to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the content of arbitra...Show more
The ActivityPub WordPress plugin before 1.0.0 does not ensure that post contents to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the content of arbitrary post (such as draft and private) via an IDOR vector. Password protected posts are not affected by this issue.Show less
CVE-2023-3706
1Automattic
1Activitypub
Apr 23, 2025
Oct 16, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The ActivityPub WordPress plugin before 1.0.0 does not ensure that post titles to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the title of arbitrary p...Show more
The ActivityPub WordPress plugin before 1.0.0 does not ensure that post titles to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the title of arbitrary post (such as draft and private) via an IDOR vectorShow less