Insert Pages < 3.7.0 – Contributor+ Arbitrary Posts/Pages Access | CVE 2021-24851

Description

The plugin allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protected posts/pages are not affected by such issue.

Proof of Concept

[insert page='page_slug' display='all']

Where page_slug is the slug of a private post/page created by (eg.) an admin.

Affects Plugins

insert-pages

Fixed in 3.7.0

References

CVE

CVE-2021-24851

URL

https://plugins.trac.wordpress.org/changeset/2614442/insert-pages

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

CVSS

5.4 (medium)

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website

https://carluc.ci

Submitter twitter

francecarlucci

Verified

Yes

WPVDB ID

919e67a1-3a50-4940-bb4f-5c5cc2017a83

Timeline

Publicly Published

2021-10-18 (about 2 years ago)

Added

2021-10-18 (about 2 years ago)

Last Updated

2022-04-16 (about 2 years ago)

Other

Published

Title

Published

2021-03-17

Title

WP Page Builder < 1.2.4 - Insecure default configuration Allows Subscribers Editing Access to Posts

Published

2023-10-16

Title

Awesome Support < 6.1.5 - Insufficient permission check in wpas_edit_reply

Published

2024-04-29

Title

Subway – Private Site Option <= 2.1.4 - Improper Access Control to Sensitive Information Exposure via REST API

Published

2024-04-08

Title

GamiPress < 6.8.9 - Broken Access Control

Published

2024-02-16

Title

My Private Site < 3.1.0 - Improper Access Control to Sensitive Information Exposure via REST API