WordPress Plugin Vulnerabilities

Co-Authors-Plus 3.5/3.5.1 - Guest Authors Email Address Disclosure

Description

The plugin introduced an information disclosure vulnerability (specifically, the e-mails of guest authors) via a public REST endpoint accessible without any authentication

Proof of Concept

Affects Plugins

Plugin icon
co-authors-plus
Fixed in 3.5.2

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Douglas Johnson
Verified
Yes
WPVDB ID
3b59fa89-76f2-42de-b8dc-b20029b03ca2

Timeline

Publicly Published
2022-06-02 (about 3 years ago)
Added
2022-06-02 (about 3 years ago)
Last Updated
2022-06-02 (about 3 years ago)

Other

Published
Title
Published
2025-12-15
Title
Pixel Manager for WooCommerce < 1.52.0 - Unauthenticated Information Exposure
Published
2025-12-12
Title
GenerateBlocks < 2.2.0 - Authenticated (Contributor+) Information Exposure via Metadata
Published
2026-02-02
Title
Run Contests, Raffles, and Giveaways with ContestsWP < 2.1.1 - Unauthenticated Information Exposure
Published
2023-10-16
Title
Social Media Share Buttons & Social Sharing Icons < 2.8.6 - Subscriber+ Sensitive Information Exposure
Published
2024-12-16
Title
PPWP – Password Protect Pages < 1.9.6 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure