CVE-2023-0890

MEDIUM

Shortcodes Ultimate < 5.12.8 - Authenticated Missing Authorization via Shortcode Post Display

Title source: llm
STIX 2.1

Description

The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not ensure that posts to be displayed via some shortcodes are already public and can be accessed by the user making the request, allowing any authenticated users such as subscriber to view draft, private or even password protected posts. It is also possible to leak the password of protected posts

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/8a466f15-f112-4527-8b02-4544a8032671

Scores

CVSS v3 6.5
EPSS 0.0065
EPSS Percentile 46.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (1)
getshortcodes/shortcodes_ultimate < 5.12.8
Published Mar 20, 2023
Tracked Since Feb 18, 2026