CVE-2024-12447 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the Get Post Content Shortcode WordPress plugin developed by webdeveric. The flaw exists in all versions up to and including 0.4 and stems from the plugin's failure to validate a user-controlled key parameter passed to the 'post-content' shortcode. This missing validation allows authenticated users with Contributor-level permissions or higher to exploit an insecure direct object reference (IDOR) vulnerability. By manipulating the shortcode parameter, attackers can access the content of posts that are normally restricted, including password-protected, private, draft, and pending posts. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 4.3 (medium severity), reflecting low impact on confidentiality (limited to reading content), no impact on integrity or availability, low attack complexity, and requiring privileges (Contributor or higher). No patches or known exploits have been reported as of the publication date. This vulnerability poses a risk to WordPress sites using this plugin, especially those with multiple contributors or less restrictive user role assignments.

The primary impact of CVE-2024-12447 is unauthorized disclosure of sensitive post content within affected WordPress sites. Attackers with Contributor-level access can read posts that are intended to be private, password-protected, drafts, or pending review, potentially exposing confidential business information, unpublished content, or other sensitive data. This breach of confidentiality can lead to reputational damage, intellectual property loss, and privacy violations. Since the vulnerability does not affect integrity or availability, it does not allow content modification or denial of service. However, the ease of exploitation by authenticated users means insider threats or compromised contributor accounts can be leveraged to escalate data exposure. Organizations with collaborative content workflows or external contributors are at higher risk. The lack of a patch increases the window of exposure until a fix is released. Overall, the vulnerability undermines trust in content access controls within affected WordPress environments.

To mitigate CVE-2024-12447, organizations should immediately audit and restrict Contributor-level and higher user permissions to trusted individuals only, minimizing the risk of insider exploitation. Temporarily disabling or removing the Get Post Content Shortcode plugin until a patch is available can eliminate the attack vector. If plugin removal is not feasible, implement custom access controls or filters to validate and sanitize shortcode parameters, ensuring unauthorized users cannot manipulate keys to access restricted posts. Monitoring logs for unusual shortcode usage or access patterns can help detect exploitation attempts. Additionally, site administrators should enforce strong authentication mechanisms and consider multi-factor authentication to reduce the risk of compromised contributor accounts. Stay informed on vendor updates and apply patches promptly once released. Finally, review and tighten WordPress user role assignments and content visibility settings to limit exposure.