B Slider- Gutenberg Slider Block for WP < 1.1.24 – Authenticated (Contributor+) Private Post Disclosure via bsb-slider Shortcode | CVE 2024-13514 | Plugin Vulnerabilities

Description

The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.5 via the 'bsb-slider' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private posts that they should not have access to.

Affects Plugins

Fixed in 1.1.24

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b0ab9274-35c8-473b-accb-602e53816528

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Nishiv

Verified

No

WPVDB ID

7e72b84c-1e51-4d65-b5a7-a24af9f6f0c4

Timeline

Publicly Published

2025-02-03 (about 1 year ago)

Added

2025-02-03 (about 1 year ago)

Last Updated

2025-02-04 (about 1 year ago)

Other

Published

Title

Published

2023-06-02

Title

VK Blocks < 1.57.1.0 - Contributor+ Settings Update via REST API

Published

2025-10-24

Title

Tutor LMS < 3.9.0 - Missing Authorization to Sensitive Information Exposure

Published

2021-09-20

Title

WP Import Export Lite < 3.9.5 - Subscriber+ Arbitrary Blog Options Update

Published

2024-12-04

Title

Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins < 2.0.59 - Sensitive Information Exposure

Published

2023-07-17

Title

Qubely < 1.8.6 - Unauthenticated Arbitrary E-mail Sending