The WP Show Posts plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the wpsp_display function. This makes it possible for authenticated attackers with contributor access and above to view the contents of draft, trash, future, private and pending posts and pages.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Wp_show_posts | Generatepress | * | 1.1.5 (excluding) |
References
- https://plugins.trac.wordpress.org/browser/wp-show-posts/trunk/wp-show-posts.php#L224
- https://plugins.trac.wordpress.org/browser/wp-show-posts/trunk/wp-show-posts.php#L591
- https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3041416%40wp-show-posts%2Ftrunk\u0026old=2846296%40wp-show-posts%2Ftrunk\u0026sfp_email=\u0026sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6788e2ee-ce61-494b-8d7f-6d1144466e58?source=cve
- https://plugins.trac.wordpress.org/browser/wp-show-posts/trunk/wp-show-posts.php#L224
- https://plugins.trac.wordpress.org/browser/wp-show-posts/trunk/wp-show-posts.php#L591
- https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3041416%40wp-show-posts%2Ftrunk\u0026old=2846296%40wp-show-posts%2Ftrunk\u0026sfp_email=\u0026sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6788e2ee-ce61-494b-8d7f-6d1144466e58?source=cve