PT-2024-15745 · WordPress · Page Restriction+1
Francesco Carlucci
·
Published
2024-03-13
·
Updated
2025-03-11
·
CVE-2024-0681
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Page Restriction WordPress plugin versions up to, and including, 1.3.4
Description
The issue is related to information disclosure due to the plugin not properly restricting access to pages via the REST API when a page has been made private. This allows unauthenticated attackers to view protected pages. The vendor has decided not to implement REST API protection on posts and pages, and instead recommends installing the WordPress REST API Authentication plugin for REST API coverage.
Recommendations
For versions up to, and including, 1.3.4, consider installing the WordPress REST API Authentication plugin to add REST API protection, as the vendor will not be implementing this feature in the Page Restriction WordPress plugin.
As a temporary workaround, consider restricting access to the REST API to minimize the risk of exploitation.
Fix
Protection Mechanism Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Page Restriction
Wordpress Rest Api Authentication