Report
The ActivityPub plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 0.17.0 due to missing validation on a user controlled key. This can allow authenticated attackers, with subscriber-level permissions and above, to expose potentially sensitive post titles (e.g., draft and private post titles).
Score:4.3
Severity:Medium
Version:< 1.0.0
There is a patch available in v1.0.0 and we strongly recommend you update to this version as soon as possible.
