Automattic Activitypub — known CVE vulnerabilities
Every CVE whose affected-product data names Automattic Activitypub, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (5)
CVE-2026-4338 — CVSS 7.5 (high): The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access…
CVE-2023-3746 — CVSS 5.4 (medium): The ActivityPub WordPress plugin before 1.0.0 does not sanitize and escape some data from post content, which could allow contributor and…
CVE-2023-5057 — CVSS 5.4 (medium): The ActivityPub WordPress plugin before 1.0.0 does not escape user metadata before outputting them in mentions, which could allow users…
CVE-2023-3706 — CVSS 4.3 (medium): The ActivityPub WordPress plugin before 1.0.0 does not ensure that post titles to be displayed are public and belong to the plugin…
CVE-2023-3707 — CVSS 4.3 (medium): The ActivityPub WordPress plugin before 1.0.0 does not ensure that post contents to be displayed are public and belong to the plugin…