Automattic Activitypub
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Automattic Activitypub.
By the Year
In 2026 there have been 0 vulnerabilities in Automattic Activitypub. Activitypub did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 1 | 0.00 |
| 2023 | 4 | 4.85 |
It may take a day or so for new Activitypub vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Automattic Activitypub Security Vulnerabilities
Missing Auth in Automattic ActivityPub <1.0.5
CVE-2023-52199
- June 11, 2024
Missing Authorization vulnerability in Matthias Pfefferle & Automattic ActivityPub.This issue affects ActivityPub: from n/a through 1.0.5.
AuthZ
ActivityPub WP Plugin XSS before 1.0.0 via post content
CVE-2023-3746
5.4 - Medium
- October 16, 2023
The ActivityPub WordPress plugin before 1.0.0 does not sanitize and escape some data from post content, which could allow contributor and above role to perform Stored Cross-Site Scripting attacks
XSS
ActivityPub WP Plugin <=1.0.0 IDOR: Authenticated Users Access Non-Public Posts
CVE-2023-3707
4.3 - Medium
- October 16, 2023
The ActivityPub WordPress plugin before 1.0.0 does not ensure that post contents to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the content of arbitrary post (such as draft and private) via an IDOR vector. Password protected posts are not affected by this issue.
Insecure Direct Object Reference / IDOR
ActivityPub WP Plugin <1.0.0 IDOR Exposes Private Post Titles
CVE-2023-3706
4.3 - Medium
- October 16, 2023
The ActivityPub WordPress plugin before 1.0.0 does not ensure that post titles to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the title of arbitrary post (such as draft and private) via an IDOR vector
Insecure Direct Object Reference / IDOR
Stored XSS in ActivityPub WP Plugin <1.0.0 via Unescaped User Metadata
CVE-2023-5057
5.4 - Medium
- October 16, 2023
The ActivityPub WordPress plugin before 1.0.0 does not escape user metadata before outputting them in mentions, which could allow users with a role of Contributor and above to perform Stored XSS attacks
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Automattic Activitypub or by Automattic? Click the Watch button to subscribe.
