Home

Description

The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the 'get_legacy_cookies' function. This makes it possible for unauthenticated attackers to extract sensitive data including titles and permalinks of private, password-protected, pending, and draft posts.

PUBLISHED Reserved 2024-12-06 | Published 2024-12-11 | Updated 2024-12-11 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-284 Improper Access Control

Product status

Default status
unaffected

* (semver)
affected

Timeline

2024-12-10:Disclosed

Credits

Francesco Carlucci finder

References

www.wordfence.com/...-6afa-4686-8e6a-01edab2dcc96?source=cve

plugins.trac.wordpress.org/...-posts/trunk/inc/namespace.php

plugins.trac.wordpress.org/changeset/3205041/

cve.org (CVE-2024-12294)

nvd.nist.gov (CVE-2024-12294)