WordPress Plugin Vulnerabilities

Page Restriction WordPress (WP) < 1.3.5 - Unauthenticated Protected Post Access

Description

The plugin is vulnerable to information disclosure due to the plugin not properly restricting access to pages via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected pages. The vendor has decided that they will not implement REST API protection on posts and pages and the restrictions will only apply to the front-end of the site. The vendors solution was to add notices throughout the dashboard and recommends installing the WordPress REST API Authentication plugin for REST API coverage.

Affects Plugins

Plugin icon
page-and-post-restriction
Fixed in 1.3.5

References

CVE
CVE-2024-0681
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a3e33a5c-df7c-4ef5-a59c-1c31abcda6d1

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
b955d2e8-c544-4e10-af4f-c8ae2d8c106e

Timeline

Publicly Published
2024-02-27 (about 2 years ago)
Added
2024-02-28 (about 2 years ago)
Last Updated
2024-02-28 (about 2 years ago)

Other

Published
Title
Published
2025-12-30
Title
Sell Downloads < 1.2.0 - Missing Authorization
Published
2026-01-05
Title
Fluent Support < 1.10.5 - Missing Authorization
Published
2026-03-05
Title
LeadConnector < 3.0.22 - Unauthenticated Rest Call
Published
2026-04-27
Title
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration < 4.3.2 - Missing Authorization
Published
2024-01-08
Title
Word Replacer Pro <= 1.0 - Missing Authorization