WordPress Plugin Vulnerabilities

WP Post Page Clone < 1.2 - Unauthorised Post Access

Description

The plugin allows users with a role as low as Contributor to clone and view other users' draft and password-protected posts which they cannot view normally.

Proof of Concept

Go to All Posts, find the post to clone, click "Click to Clone" then edit the cloned post to see its content

Affects Plugins

Plugin icon
wp-post-page-clone
Fixed in 1.2

References

CVE
CVE-2021-24733

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
a7fa5896-5a1d-44c6-985c-e4abcc53da0e

Timeline

Publicly Published
2021-12-27 (about 2 years ago)
Added
2021-12-27 (about 2 years ago)
Last Updated
2022-04-09 (about 2 years ago)

Other

Published
Title
Published
2024-05-14
Title
Password Protected < 2.6.7 - Missing Authorization to Sensitive Information Exposure
Published
2024-02-01
Title
ARMember < 4.0.25 - Improper Access Control to Sensitive Information Exposure via REST API
Published
2019-07-10
Title
WP-GraphQL < 0.3.5 - Improper Access Control
Published
2023-12-14
Title
WP VR < 8.3.15 - Unauthenticated Plugin Downgrade leading to XSS
Published
2018-12-04
Title
JobCareer < 2.4.1 - User enumeration & Reset password