Hubbub Lite < 1.33.1 – Unauthenticated Password Protected Posts Access | CVE 2024-1526

Description

The plugin does not ensure that user have access to password protected post before displaying its content in a meta tag.

Proof of Concept

When the "Disable Open Graph Meta Tags" settings of the plugin is disabled, view the source of a password protected post and note its content being disclosed in the "og:description" meta property tag.

Affects Plugins

social-pug

Fixed in 1.33.1

References

CVE

CVE-2024-1526

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-287

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

cert_polska_en

Verified

Yes

WPVDB ID

1664697e-0ea3-4d09-b2fd-153a104ec255

Timeline

Publicly Published

2024-03-11 (about 2 months ago)

Added

2024-03-11 (about 2 months ago)

Last Updated

2024-03-11 (about 2 months ago)

Other

Published

Title

Published

2016-09-19

Title

Order Export Import for WooCommerce 1.0.8 - Order Information Disclosure

Published

2014-08-01

Title

Groups 1.4.5 - Negated Role Capability H&ling Elevated Privilege Issue

Published

2014-08-01

Title

WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass

Published

2023-01-27

Title

ContentStudio < 1.2.6 - Authorisation Bypass

Published

2023-10-25

Title

Admin and Site Enhancements (ASE) < 5.8.0 - Password Protection Mode Security Feature Bypass