The vulnerability identified as CVE-2024-12560 affects the 'Button Block – Get fully customizable & multi-functional buttons' WordPress plugin, specifically versions up to and including 1.1.5. The issue arises from the 'btn_block_duplicate_post' function, which improperly handles access controls, allowing authenticated users with Contributor-level permissions or higher to access sensitive information from posts that are not publicly visible, including drafts, scheduled posts, private posts, and password-protected content. This exposure constitutes a CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) weakness. The vulnerability can be exploited remotely without user interaction, requiring only authenticated access with relatively low privileges (Contributor or above). The CVSS v3.1 base score is 4.3, reflecting a medium severity level primarily due to the confidentiality impact and ease of exploitation. The vulnerability does not impact data integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The flaw could allow attackers to harvest sensitive content that might include unpublished business information, personal data, or other confidential materials stored in non-public posts, potentially leading to privacy violations or information leakage.

The primary impact of this vulnerability is unauthorized disclosure of sensitive content stored in draft, scheduled, private, or password-protected posts within WordPress sites using the affected plugin. Organizations relying on this plugin risk exposure of confidential business information, unpublished content, or personal data, which could lead to reputational damage, regulatory compliance issues (e.g., GDPR), and loss of trust from users or customers. Since the vulnerability requires authenticated access at Contributor level or above, attackers must first compromise or obtain legitimate user credentials, which may be feasible through phishing or credential stuffing attacks. The breach of confidentiality could facilitate further attacks, social engineering, or competitive intelligence gathering. However, the vulnerability does not allow modification or deletion of data, nor does it impact site availability. The scope is limited to sites using this specific plugin, but given WordPress's widespread use, the potential reach is significant.

1. Immediate mitigation involves updating the 'Button Block' plugin to a patched version once available. Since no patch links are currently provided, monitor the vendor or WordPress plugin repository for updates. 2. Restrict Contributor-level access strictly to trusted users and review user roles to minimize unnecessary elevated privileges. 3. Implement strong authentication mechanisms, such as multi-factor authentication (MFA), to reduce the risk of credential compromise. 4. Conduct regular audits of user accounts and permissions to detect and remove unauthorized or dormant accounts. 5. If patching is delayed, consider temporarily disabling or removing the plugin to prevent exploitation. 6. Monitor logs for unusual access patterns to draft or private content that could indicate exploitation attempts. 7. Educate content creators and administrators about the risks of storing highly sensitive information in draft or private posts. 8. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable function if feasible.