WordPress Plugin Vulnerabilities

Advanced Post Block < 1.13.5 - Unauthenticated Arbitrary Post Access

Description

The plugin is vulnerable to unauthorized access of data due to a missing capability check on the apbPosts() function hooked via an AJAX action. This makes it possible for unauthenticated attackers to retrieve all post data, including those that may be password protected.

Affects Plugins

Plugin icon
advanced-post-block
Fixed in 1.13.5

References

CVE
CVE-2024-0908
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8fb6c221-d885-42b5-977c-39e8608e3e31

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Verified
No
WPVDB ID
33a51650-f244-4fc0-a148-bdf0e8143af9

Timeline

Publicly Published
2024-04-11 (about 2 years ago)
Added
2024-04-11 (about 2 years ago)
Last Updated
2024-05-24 (about 2 years ago)

Other

Published
Title
Published
2022-11-21
Title
Betheme < 26.6.3 - Missing Authorization
Published
2025-02-11
Title
aDirectory – WordPress Directory Listing Plugin < 2.3.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
Published
2024-10-25
Title
Token Login <= 1.0.3 - Authenticated (Subscriber+) Privilege Escalation
Published
2024-03-28
Title
Events Manager < 6.4.7 - Missing Authorization
Published
2025-08-07
Title
Global Gallery < 9.2.4 - Missing Authorization