WordPress Plugin Vulnerabilities

Inline Related Posts < 3.6.0 - Subscriber+ Password Protected Post Read

Description

The plugin does not ensure that post content displayed via an AJAX action are accessible to the user, allowing any authenticated user, such as subscriber to retrieve the content of password protected posts

Proof of Concept

When logged in as a subscriber, open the following URL and note that the content of password protected posts is displayed : https://example.com/wp-admin/admin-ajax.php?action=irp_list_posts

Affects Plugins

Plugin icon
intelly-related-posts
Fixed in 3.6.0

References

CVE
CVE-2023-6257

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287

Miscellaneous

Original Researcher
Krzysztof Zając (CERT PL)
Submitter
Krzysztof Zając (CERT PL)
Submitter website
https://cert.pl
Submitter twitter
cert_polska_en
Verified
Yes
WPVDB ID
19a86448-8d7c-4f02-9290-d9f93810e6e1

Timeline

Publicly Published
2024-03-21 (about 1 months ago)
Added
2024-03-21 (about 1 months ago)
Last Updated
2024-03-21 (about 1 months ago)

Other

Published
Title
Published
2022-02-22
Title
RW Divi Unite Gallery <= 1.0 - Security Bypass via Outdated Freemius
Published
2021-02-02
Title
MStore API < 3.2.0 - Authentication Bypass With Sign In With Apple
Published
2022-09-05
Title
OAuth client Single Sign On for WordPress < 3.0.4 - Unauthenticated Settings Update to Authentication Bypass
Published
2014-08-01
Title
WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass
Published
2014-08-01
Title
portable-phpMyAdmin < 1.3.1 - Authentication Bypass