PT-2021-16326 · WordPress · Improved Include Page

Francesco Carlucci

Published

2021-12-13

Updated

2022-07-29

CVE-2021-24845

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Improved Include Page WordPress plugin versions 1.2 and earlier

Description: The issue allows users with a role as low as Contributor to gain access to content they are not supposed to by passing shortcode attributes with post type and post status. This can be used to retrieve arbitrary content.

Recommendations: For Improved Include Page WordPress plugin versions 1.2 and earlier, consider disabling the shortcode functionality until a patch is available to prevent users from accessing unauthorized content. Restrict access to the post type and post status attributes to minimize the risk of exploitation.

Exploit

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

CVE-2021-24845

Affected Products

Improved Include Page

PT-2021-16326 · WordPress · Improved Include Page

CVE-2021-24845

Weakness Enumeration

Related Identifiers

Affected Products

References · 4