CVE-2021-24851

CWE-863 — Incorrect Authorization CWE-862 — Missing Authorization3 documents3 sources

Severity

4.3MEDIUM

EPSS

0.2%

top 59.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Insert Pages Insert Pages Project Insert Pages

Timeline

PublishedNov 17

Latest updateMay 24

Description

The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protected posts/pages are not affected by such issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5unknown/insert_pages3.7.0 — 3.7.0

▶NVDinsert_pages_project/insert_pages< 3.7.0

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-cr2h-5rwf-jg3m: The Insert Pages WordPress plugin before 3↗2022-05-24

▶

CVEList

Insert Pages < 3.7.0 - Contributor+ Arbitrary Posts/Pages Access↗2021-11-17

▶