CVE-2026-12906

CVE-2026-12906CVE-2026-12906

Description

The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other users' private, draft, pending, scheduled and trashed posts.

Scoring

CVSS 2.7 ()
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Last modified2026-07-16
Sourced from NVD. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.