The WP Show Posts plugin for WordPress, developed by edge22, suffers from an authorization bypass vulnerability identified as CVE-2024-1479. This vulnerability is due to incorrect authorization checks in the wpsp_display function, which is responsible for rendering posts and pages. Authenticated users with contributor-level access or higher can exploit this flaw to view content that should be restricted, including draft, trash, future, private, and pending posts and pages. Normally, contributors have limited access and cannot view private or unpublished content authored by others. However, due to the flawed authorization logic, these users can bypass these restrictions and gain visibility into sensitive unpublished content. The vulnerability affects all versions up to and including 1.1.4 of WP Show Posts. The CVSS v3.1 score of 5.3 (medium severity) reflects that the attack vector is network-based, requires low attack complexity, no privileges beyond contributor, no user interaction, and impacts confidentiality only without affecting integrity or availability. There are no known public exploits or patches currently available, but the risk of sensitive information exposure remains significant for sites using this plugin. This vulnerability falls under CWE-863, which denotes incorrect authorization leading to unauthorized access to resources.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive unpublished content within WordPress sites using the WP Show Posts plugin. Organizations relying on this plugin may inadvertently expose draft posts, private pages, or other non-public content to users with contributor-level access, which could include internal staff or external collaborators. This exposure can lead to information leakage, potentially revealing confidential business plans, unpublished articles, or sensitive internal communications. Although the vulnerability does not allow modification or deletion of content, the breach of confidentiality can undermine trust, violate privacy policies, and expose organizations to reputational damage. For multi-author blogs, editorial teams, or corporate websites, this could result in premature disclosure of strategic information. Since exploitation requires authenticated contributor access, the threat is limited to insiders or compromised contributor accounts, but the ease of exploitation and the scope of affected content make it a notable risk. No impact on system integrity or availability has been reported.

To mitigate this vulnerability, organizations should first verify if they are using the WP Show Posts plugin and identify the version in use. Since no official patch or update is currently linked, administrators should consider temporarily disabling the plugin until a fix is released. Restrict contributor-level access strictly to trusted users and review user roles to minimize the number of contributors. Implement monitoring and alerting for unusual access patterns to draft or private content. As a workaround, site administrators can audit and harden access controls on unpublished content by using additional access control plugins or custom code to enforce stricter authorization checks. Regularly check for updates from the plugin vendor and apply patches promptly once available. Additionally, conduct security awareness training for contributors to reduce the risk of credential compromise. Finally, consider isolating sensitive content or using alternative plugins with robust authorization mechanisms.