CVE-2023-0772

Name of the Vulnerable Software and Affected Versions The Popup Builder by OptinMonster WordPress plugin versions prior to 2.12.2

Description The issue allows any authenticated users, such as subscribers, to retrieve the content of arbitrary posts, including drafts, private, or password-protected ones, due to the plugin not ensuring that the campaign loaded via certain shortcodes is actually a campaign.

Recommendations For versions prior to 2.12.2, update to version 2.12.2 or later to resolve the issue. As a temporary workaround, consider restricting access to shortcodes that load campaigns to prevent unauthorized users from retrieving sensitive post content.