CVE-2021-24845 Improved Include Page <= 1.2 - Contributor+ Arbitrary Posts/Pages Access

2021-12-1310:41:05

CWE-284

WPScan

www.cve.org

cve-2021-24845

improved include page

wordpress plugin

vulnerability

arbitrary posts/pages access

contributor

EPSS

0.001

Percentile

32.8%

JSON

The Improved Include Page WordPress plugin through 1.2 allows passing shortcode attributes with post_type & post_status which can be used to retrieve arbitrary content. This way, users with a role as low as Contributor can gain access to content they are not supposed to.

CNA Affected

[
  {
    "product": "Improved Include Page",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThanOrEqual": "1.2",
        "status": "affected",
        "version": "1.2",
        "versionType": "custom"
      }
    ]
  }
]

References

wpscan.com/vulnerability/ab857454-7c7c-454d-9c7f-1db767961e5f

EPSS

0.001

Percentile

32.8%

JSON

Related for CVELIST:CVE-2021-24845