Activitypub
Approved changes feed: RSS · Atom
cpe:2.3:a:automattic:activitypub:*:*:*:*:*:wordpress:*:*
part: a version: * update: *
| Vendor | Automattic (1dc39c9b-4ddb-5af6-acf4-410b436129a9) |
|---|---|
| Product | Activitypub (bea57749-efb4-5e5d-b5f9-8cdd4d4532d7) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | wordpress |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-4338 |
vulnerable | 2026-06-03 15:26:25.321523 |
ActivityPub Routing < 8.0.2 - Unauthenticated Drafts/Scheduled/Pending Posts Disclosure
The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts
Published: 2026-04-08T06:00:08.001Z
Updated: 2026-04-08T16:06:53.365Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5057 |
vulnerable | 2026-06-03 14:53:46.871304 |
ActivityPub for WordPress < 1.0.0 - Contributor+ Stored XSS
The ActivityPub WordPress plugin before 1.0.0 does not escape user metadata before outputting them in mentions, which could allow users with a role of Contributor and above to perform Stored XSS attacks
Published: 2023-10-16T19:39:13.142Z
Updated: 2024-08-02T07:44:53.809Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-52199 |
vulnerable | 2026-06-03 14:53:38.903995 |
WordPress ActivityPub plugin <= 1.0.5 - Unauthenticated Broken Access Control vulnerability
MEDIUM (6.5)
Missing Authorization vulnerability in Matthias Pfefferle & Automattic ActivityPub.This issue affects ActivityPub: from n/a through 1.0.5.
Published: 2024-06-11T14:13:43.515Z
Updated: 2026-04-28T16:09:06.698Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3746 |
vulnerable | 2026-06-03 14:52:41.730402 |
ActivityPub for WordPress < 1.0.1 - Contributor+ Stored XSS
The ActivityPub WordPress plugin before 1.0.0 does not sanitize and escape some data from post content, which could allow contributor and above role to perform Stored Cross-Site Scripting attacks
Published: 2023-10-16T19:39:14.930Z
Updated: 2025-04-23T16:12:00.785Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3707 |
vulnerable | 2026-06-03 14:52:41.597691 |
ActivityPub for WordPress < 1.0.0 - Subscriber+ Arbitrary Post Content Disclosure
The ActivityPub WordPress plugin before 1.0.0 does not ensure that post contents to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the content of arbitrary post (such as draft and private) via an IDOR vector. Password protected posts are not affected by this issue.
Published: 2023-10-16T19:39:12.296Z
Updated: 2025-04-23T16:12:12.691Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3706 |
vulnerable | 2026-06-03 14:52:41.597091 |
ActivityPub for WordPress < 1.0.0 - Subscriber+ Arbitrary Post Title Disclosure
The ActivityPub WordPress plugin before 1.0.0 does not ensure that post titles to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the title of arbitrary post (such as draft and private) via an IDOR vector
Published: 2023-10-16T19:39:15.786Z
Updated: 2025-04-23T16:11:55.074Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.