Shortcodes Ultimate < 5.12.8 - Subscriber+ Arbitrary Post Access
CVE-2023-0890

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: WordPress Shortcodes Plugin — Shortcodes Ultimate
Vendor: CVE Published:; 20 March 2023

Summary

The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not ensure that posts to be displayed via some shortcodes are already public and can be accessed by the user making the request, allowing any authenticated users such as subscriber to view draft, private or even password protected posts. It is also possible to leak the password of protected posts

Affected Version(s)

WordPress Shortcodes Plugin — Shortcodes Ultimate 0 < 5.12.8

References

https://wpscan.com/vulnerability/8a466f15-f112-4527-8b02-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 20, 2023
Vulnerability Reserved
Feb 17, 2023

Credit

Erwan LR (WPScan)

WPScan