WordPress Plugin Vulnerabilities

WP Private Content Plus < 3.6.1 - Unauthenticated Protected Post Access

Description

The plugin is vulnerable to information disclosure due to the plugin not properly restricting access to posts via the REST API when a page has been made private, allowing unauthenticated attackers to view protected posts.

Affects Plugins

Plugin icon
wp-private-content-plus
Fixed in 3.6.1

References

CVE
CVE-2024-0680
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/43d8904f-3bc9-4c67-b44b-8d78762b6b30

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
7f4f9c1e-b7dd-4dfe-ba4f-8590d1c00cc5

Timeline

Publicly Published
2024-02-27 (about 2 years ago)
Added
2024-02-28 (about 2 years ago)
Last Updated
2024-12-20 (about 1 year ago)

Other

Published
Title
Published
2025-01-16
Title
Slides & Presentations <= 0.0.39 - Missing Authorization to Content Injection
Published
2022-10-17
Title
Product Stock Manager < 1.0.5 - Subscriber+ Unauthorised AJAX Calls
Published
2024-04-16
Title
ProfileGrid – User Profiles, Memberships, Groups and Communities < 5.8.4 - Missing Authorization
Published
2024-08-02
Title
Build Your Dream Website Fast with 400+ Starter Templates and Landing Pages, No Coding Needed, One-Click Import for Elementor & Gutenberg Blocks! – TemplateSpare < 2.4.3 - Missing Authorization to Authenticated (Subscriber+) Theme Update
Published
2026-02-11
Title
Gutenberg Blocks by Kadence Blocks < 3.6.0 - Missing Authorization