CVE-2025-47288

Name of the Vulnerable Software and Affected Versions Discourse Policy plugin versions prior to 0.1.1

Description The issue concerns the Discourse Policy plugin, which allows confirming users have seen or done something. Prior to version 0.1.1, if a policy was posted to a public topic tied to a private group, the group members could be shown to non-group members.

Recommendations For versions prior to 0.1.1, update to version 0.1.1 to resolve the issue. As a temporary workaround, consider moving any policy topics with private groups to restricted categories.