CVE-2024-12447: Get Post Content Shortcode <= 0.4 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via post_cont...

4.3 CVSS

Description

The Get Post Content Shortcode plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.4 via the 'post-content' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the content of password-protected, private, draft, and pending posts.

Classification

CVE ID: CVE-2024-12447

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.3

Affected Products

Vendor: webdeveric

Product: Get Post Content Shortcode

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 16.21% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/c2b92091-e615-484f-b402-2e793eed214d?source=cve
https://plugins.trac.wordpress.org/browser/get-post-content-shortcode/trunk/get-post-content-shortcode.php#L106

Timeline

2024-12-15 00:30:13 UTC
CVE

Get Post Content Shortcode <= 0.4 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via post_cont...