Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins < 2.0.59 – Sensitive Information Exposure | CVE 2024-10937 | Plugin Vulnerabilities

Description

The Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.58 via the wp_ajax_nopriv_related_post_ajax_get_post_ids AJAX action. This makes it possible for unauthenticated attackers to extract sensitive data including titles of posts in draft status.

Affects Plugins

Fixed in 2.0.59

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/85f7c69d-0b48-47af-9451-3cfd4326ffe5

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

7bfcf597-f83a-4ebb-bb80-50c54d8c5e1d

Timeline

Publicly Published

2024-12-04 (about 1 year ago)

Added

2024-12-04 (about 1 year ago)

Last Updated

2024-12-05 (about 1 year ago)

Other

Published

Title

Published

2024-05-21

Title

AI ChatBot < 5.3.6 - Missing Authorization via openai_file_delete_callback

Published

2020-11-28

Title

BuddyPress < 6.4.0 - Lack of Capability Check on Profile Page

Published

2021-10-24

Title

Logo Showcase with Slick Slider < 1.2.5 - Subscriber+ Arbitrary Media Title/Description/Alt Text/URL Update

Published

2021-04-14

Title

BuddyPress < 7.3.0 - Multiple Authenticated REST API Vulnerabilities

Published

2023-12-29

Title

EventPrime < 3.3.6 - Unauthenticated Event Access