WordPress Plugin Vulnerabilities

PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes < 3.5.16 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure

Description

The PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.15 via the 'actAjaxRevisionDiffs' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including revisions of posts and pages.

Affects Plugins

Plugin icon
revisionary
Fixed in 3.5.16

References

CVE
CVE-2024-11154
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c785b7a0-5091-4d89-87d3-cd7d9984553e

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dominik Dziura (Domons)
Verified
No
WPVDB ID
9c56522c-36ec-4bf6-8d66-b4ed33b23b62

Timeline

Publicly Published
2024-11-19 (about 1 year ago)
Added
2024-11-20 (about 1 year ago)
Last Updated
2024-11-20 (about 1 year ago)

Other

Published
Title
Published
2025-06-19
Title
Import YouTube videos as WP Posts <= 2.1 - Missing Authorization
Published
2026-04-07
Title
LTL Freight Quotes – Worldwide Express Edition < 5.2.2 - Missing Authorization
Published
2025-01-08
Title
MIMO Woocommerce Order Tracking <= 1.0.2 - Missing Authorization to Limited Settings Update
Published
2024-12-02
Title
WP Mailster < 1.8.17.0 - Missing Authorization
Published
2025-07-18
Title
Vchasno Kasa < 1.0.4 - Missing Authorization to Unauthenticated Invoice Generation