WordPress · Squaretype · CVE-2021-24840
Name of the Vulnerable Software and Affected Versions:
Squaretype WordPress theme version 3.0.3 and earlier
Description:
The issue allows unauthenticated users to manipulate the query vars used to retrieve posts to display in one of its REST endpoints, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request.
Recommendations:
For versions prior to 3.0.4, update to version 3.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST endpoint until the update is applied.