CVE-2023-0890: Shortcodes Ultimate < 5.12.8 - Subscriber+ Arbitrary Post Access
First published: Mon Mar 20 2023(Updated: )
The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not ensure that posts to be displayed via some shortcodes are already public and can be accessed by the user making the request, allowing any authenticated users such as subscriber to view draft, private or even password protected posts. It is also possible to leak the password of protected posts
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Shortcodes Ultimate by Vova Anokhin | <5.12.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for this WordPress Shortcodes Plugin vulnerability?
The vulnerability ID for this WordPress Shortcodes Plugin vulnerability is CVE-2023-0890.
What is the severity level of CVE-2023-0890?
CVE-2023-0890 has a severity level of medium with a value of 6.5.
Which version of the Shortcodes Ultimate WordPress plugin is affected by CVE-2023-0890?
The Shortcodes Ultimate WordPress plugin version up to 5.12.8 is affected by CVE-2023-0890.
What is the CWE ID for CVE-2023-0890?
The CWE ID for CVE-2023-0890 is CWE-862.
How can an authenticated user exploit CVE-2023-0890?
An authenticated user can exploit CVE-2023-0890 by viewing draft, private, or other unauthorized posts through certain shortcodes.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/title
- agent/references
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/event
- agent/first-publish-date
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/getshortcodes
- canonical/shortcodes ultimate by vova anokhin