Medium 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
By including this file in their own page, an attacker can view all post titles - including those of drafts and private posts, which should remain secret - if an authenticated user visits their website.
Setup: install the plugin & create a private post (set "Visibility" to "private").
While authenticated, visit a webpage that contains the following HTML code:
<script src="http://192.168.0.104/wordpress5/wordpress/wp-admin/admin-ajax.php?action=qni_content_index"></script> <script> console.log(window.qniContentIndex); // in a real-world attack, this would be send to the attacker's server </script>
disclosure of private post/page titles