How is CVE-2026-49063 exploited?

Network reachability (required): The attacker must be able to reach the WordPress installation over the network; the vulnerable endpoint is exposed via standard HTTP/HTTPS with no network-layer restriction implied by the CVSS vector. Authentication (not-required): No account or session credentials of any privilege level are needed to trigger the vulnerability. Victim interaction (not-required): The attacker can exploit this vulnerability without any action from an existing user or administrator. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond network access.

What is the impact of CVE-2026-49063?

A successful attacker gains elevated privileges within the WordPress application, potentially accessing functionality and data restricted to higher-privilege roles. Confidential data accessible to elevated roles, such as user records, private posts, and plugin configuration, becomes readable by the attacker. The attacker can modify application content, settings, or user data within the scope of the escalated role. Limited availability impact is possible, with the attacker able to disrupt or degrade portions of the application reachable at the escalated privilege level.

Back to search

HIGHCVE-2026-49063Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49063: WordPress Listdom plugin <= 5.5.0 - Privilege Escalation vulnerability

Q: What is CVE-2026-49063?

An unauthenticated privilege escalation vulnerability affects the Listdom WordPress plugin at version 5.5.0 and earlier, published by Webilia Inc. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially accessible to any attacker who can reach the WordPress installation. Successful exploitation allows an attacker to elevate their privileges within the application, gaining unauthorized read, write, and limited availability impact on the target. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment a fix version is published upstream.

Q: Is CVE-2026-49063 patched?

Because no fix version has been published upstream, HarborGuard re-checks the Listdom advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Webilia Inc. releases a remediated version. Customers with auto-remediation enabled will receive the rebuild, a regression test run, and a pull request opened against affected workloads as soon as that upstream fix lands.

Unauthenticated Privilege Escalation in Listdom <= 5.5.0 versions.

CVSS v3.1: 7.3
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated privilege escalation vulnerability affects the Listdom WordPress plugin at version 5.5.0 and earlier, published by Webilia Inc. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially accessible to any attacker who can reach the WordPress installation. Successful exploitation allows an attacker to elevate their privileges within the application, gaining unauthorized read, write, and limited availability impact on the target. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment a fix version is published upstream.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-49063 is available across every HarborGuard environment, with ingestion from upstream feeds including Patchstack within minutes of publication and automatic matching against all images in customer registries and CI pipelines. This coverage extends to custom-built images that bundle the Listdom plugin, not just official upstream images.

Available

Triage

HarborGuard scores this CVE at 7.3 HIGH using the published CVSS v3.1 vector and can weight that score against each customer organization's per-environment compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer organization based on configured policy rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Listdom advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Webilia Inc. releases a remediated version. Customers with auto-remediation enabled will receive the rebuild, a regression test run, and a pull request opened against affected workloads as soon as that upstream fix lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the WordPress installation over the network; the vulnerable endpoint is exposed via standard HTTP/HTTPS with no network-layer restriction implied by the CVSS vector.
AuthenticationNot required
No account or session credentials of any privilege level are needed to trigger the vulnerability.
Victim interactionNot required
The attacker can exploit this vulnerability without any action from an existing user or administrator.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond network access.

Blast Radius

A successful attacker gains elevated privileges within the WordPress application, potentially accessing functionality and data restricted to higher-privilege roles.
Confidential data accessible to elevated roles, such as user records, private posts, and plugin configuration, becomes readable by the attacker.
The attacker can modify application content, settings, or user data within the scope of the escalated role.
Limited availability impact is possible, with the attacker able to disrupt or degrade portions of the application reachable at the escalated privilege level.

How HarborGuard Handles This

Available on HarborGuard: monitoring for CVE-2026-49063 is active and images containing Listdom at version 5.5.0 or earlier are flagged on every scan cycle. Because no upstream fix exists at this time, HarborGuard continues to poll the Patchstack advisory feed on each ingest cycle and will surface a patched-image rebuild automatically when Webilia Inc. publishes a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and pull request against affected workloads will be initiated without manual intervention at that point. In the interim, compensating controls worth evaluating include network-policy isolation to restrict public access to the WordPress installation, web application firewall rules targeting the vulnerable plugin endpoint, and disabling or removing the Listdom plugin from images where it is not operationally required.

See how HarborGuard automates this

Affected packages

Webilia Inc. / Listdom
≤ 5.5.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified