CVE-2024-11090
Published: 26 January 2025
Description
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.13 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.
Security Summary
CVE-2024-11090 is a sensitive information exposure vulnerability (CWE-200) in the Membership Plugin – Restrict Content for WordPress, affecting all versions up to and including 3.2.13. The flaw occurs via the WordPress core search feature, enabling the extraction of sensitive data from posts restricted to higher-level roles such as administrator.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). Exploitation allows remote attackers with no privileges to access low-impact confidential data from protected posts, without affecting integrity or availability.
Mitigation details are available in the WordPress plugins trac changeset 3227065 at https://plugins.trac.wordpress.org/changeset/3227065/restrict-content, which addresses the issue. Further advisory information is provided by Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/7615c391-ccb1-4990-bbfd-949782cc609a?source=cve.
Details
- CWE(s)