WordPress Plugin Vulnerabilities

Find My Blocks < 3.4.0 - Private Post Titles Disclosure

Description

The plugin does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles.

Proof of Concept

Create a private post with at least one Gutenburg paragraph block and go to

https://example.com/wp-json/find-my-blocks/blocks/?name=core/paragraph

Affects Plugins

Plugin icon
find-my-blocks
Fixed in 3.4.0

References

CVE
CVE-2021-24677

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
40c7e424-9a97-41ab-a312-2a06b607609a

Timeline

Publicly Published
2021-09-15 (about 2 years ago)
Added
2021-09-15 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)

Other

Published
Title
Published
2023-10-16
Title
Awesome Support < 6.1.5 - Insufficient permission check in wpas_edit_reply
Published
2024-02-06
Title
Customer Reviews for WooCommerce < 5.39.0 - Improper Authorization via submit_review
Published
2020-12-14
Title
Total Upkeep by BoldGrid < 1.14.10 - Unauthenticated Backup Download
Published
2021-07-12
Title
Frontend File Manager < 18.3 - Privilege Escalation
Published
2020-11-28
Title
BuddyPress < 6.4.0 - Lack of Capability Check on Profile Page