Logo Carousel < 3.4.2 - Unauthorised Private Post Access

The plugin allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication feature

PoC

1. Go to Logo Carousel -> Shortcode Generator. 2) If there is no carousel, create one. 3) Copy URL of the “Duplicate” link under the carousel item. 4) Replace “post” parameter with the post ID of a private post. 5) Visit the link. 6) The private post is duplicated. The post can be viewed at Posts -> All Posts. e.g: https://example.com/wp-admin/admin.php?action=sp_lc_shortcode_duplicate&amp;post;=1764&amp;sp;_lc_duplicate_nonce=1c00367003