Page/Post Content Shortcode <= 1.0 – Contributor+ Arbitrary Posts/Pages Access | CVE 2021-24819 | Plugin Vulnerabilities

Description

The plugin does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as admins and editors.

Proof of Concept

As a contributor, add the following shortcode in a page, replacing ID with the ID of a draft/private/password protected/trashed post/page to access, then preview the post to display the content

[post-content-sc id="ID"]
[page-content-sc id="ID"]

Affects Plugins

pagepost-content-shortcode

No known fix

References

CVE

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website

https://carluc.ci

Submitter twitter

Verified

Yes

WPVDB ID

c97b218c-b430-4301-884f-f64d0dd08f07

Timeline

Publicly Published

2021-11-15 (about 4 years ago)

Added

2021-11-15 (about 4 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2021-10-26

Title

Bulk Datetime Change < 1.12 - Missing Authorisation

Published

2023-10-09

Title

Campaign Monitor Forms < 2.5.6 - Subscriber+ Arbitrary Options Update

Published

2021-01-28

Title

uListing < 1.7 - Unauthenticated WordPress Options Change

Published

2024-05-06

Title

ClickCease Click Fraud Protection < 3.2.5 - Improper Authorization to sensitive information exposure via get_settings

Published

2025-05-29

Title

Featured Image Plus < 1.6.6 - Missing Authorization to Authenticated (Subscriber+) Featured Image Update