CVE-2023-0890

Name of the Vulnerable Software and Affected Versions Shortcodes Ultimate WordPress plugin versions prior to 5.12.8

Description The issue allows any authenticated users, such as subscribers, to view draft, private, or even password-protected posts. It is also possible to leak the password of protected posts. This occurs because the plugin does not ensure that posts to be displayed via some shortcodes are already public and can be accessed by the user making the request.

Recommendations For versions prior to 5.12.8, update to version 5.12.8 or later to resolve the issue. As a temporary workaround, consider restricting access to shortcodes that display posts to only authorized users until the update is applied.