Logo Carousel < 3.4.2 – Unauthorised Private Post Access | CVE 2021-24739 | Plugin Vulnerabilities

Description

The plugin allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication feature

Proof of Concept

1) Go to Logo Carousel -> Shortcode Generator.
2) If there is no carousel, create one.
3) Copy URL of the "Duplicate" link under the carousel item.
4) Replace "post" parameter with the post ID of a private post.
5) Visit the link.
6) The private post is duplicated. The post can be viewed at Posts -> All Posts.

e.g: https://example.com/wp-admin/admin.php?action=sp_lc_shortcode_duplicate&post=1764&sp_lc_duplicate_nonce=1c00367003

Affects Plugins

logo-carousel-free

Fixed in 3.4.2

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

2afadc76-93ad-47e1-a224-e442ac41cbce

Timeline

Publicly Published

2021-11-22 (about 4 years ago)

Added

2021-11-22 (about 4 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2024-10-14

Title

WP 2FA with Telegram < 3.1 - Authenticated (Subscriber+) Authentication Bypass

Published

2022-11-14

Title

TeraWallet - For WooCommerce < 1.4.4 - Subscriber+ Arbitrary Wallet Lock/Unlock via IDOR

Published

2025-09-09

Title

Resideo Plugin for Resideo - Real Estate WordPress Theme <= 2.5.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Privilege Escalation via Account Takeover

Published

2023-07-24

Title

Simple Author Box < 2.52 - Contributor+ Arbitrary User Information Disclosure via IDOR

Published

2025-03-31

Title

Radius Blocks <= 2.2.1 - Authenticated (Subscriber+) Insecure Direct Object Reference