WordPress Plugin Vulnerabilities

Content Slider Block – Create fully functional slider with Gutenberg block < 3.1.6 - Authenticated (Contributor+) Post Disclosure

Description

The Content Slider Block plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.1.5 via the [csb] shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.

Affects Plugins

Plugin icon
content-slider-block
Fixed in 3.1.6

References

CVE
CVE-2024-10667
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c34ca97f-d974-4ad1-b4a5-93613eb43a37

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
593dcd0d-2ccc-4db7-874e-efd884cc90b6

Timeline

Publicly Published
2024-11-08 (about 1 year ago)
Added
2024-11-08 (about 1 year ago)
Last Updated
2024-11-09 (about 1 year ago)

Other

Published
Title
Published
2026-02-11
Title
Image Photo Gallery Final Tiles Grid < 3.6.12 - Authenticated (Author+) Insecure Direct Object Reference
Published
2021-05-17
Title
LifterLMS < 4.21.2 - Access Other Student Grades/Answers via IDOR
Published
2025-10-24
Title
Tutor LMS Pro < 3.9.0 - Subscriber+ Other Assignments Access/Edit via IDOR
Published
2024-11-11
Title
Futurio Extra < 2.0.14 - Authenticated (Contributor+) Post Disclosure
Published
2025-11-20
Title
Return Refund and Exchange For WooCommerce < 4.5.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Order Message Read