The Post Lockdown plugin for WordPress, developed by andyexeter, suffers from an authorization bypass vulnerability identified as CVE-2025-1504. This vulnerability arises from insufficient access control checks in the 'pl_autocomplete' AJAX action, which is responsible for providing autocomplete functionality for posts. Specifically, the plugin fails to properly restrict which posts can be included in the autocomplete results, allowing authenticated users with minimal privileges (Subscriber-level or above) to query and retrieve information from posts that are password protected, private, or in draft status. This constitutes an information exposure vulnerability classified under CWE-862 (Missing Authorization). The vulnerability affects all versions up to and including 4.0.2 of the plugin. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and requires privileges (authenticated users), but does not require user interaction. The impact is limited to confidentiality, with no direct impact on integrity or availability. No patches or official fixes are currently listed, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on 2025-02-20 and published on 2025-03-08.

This vulnerability allows authenticated users with Subscriber-level access or higher to bypass intended access controls and extract sensitive information from posts that are meant to be restricted, such as password protected, private, or draft posts. For organizations relying on the Post Lockdown plugin to secure sensitive content, this could lead to unauthorized disclosure of confidential or proprietary information. While the vulnerability does not allow modification or deletion of content, the exposure of sensitive data can have significant privacy and compliance implications, especially for organizations handling personal data or intellectual property. The ease of exploitation by low-privileged users increases the risk, as attackers do not need elevated privileges or complex attack methods. This can undermine trust in the website’s content protection mechanisms and may lead to reputational damage, regulatory penalties, or competitive disadvantage.

Organizations using the Post Lockdown plugin should immediately assess their exposure and take the following specific actions: 1) Monitor for updates from the plugin developer and apply patches as soon as they become available. 2) Temporarily restrict or disable the 'pl_autocomplete' AJAX functionality if feasible, to prevent unauthorized data enumeration. 3) Review and tighten user role permissions to limit Subscriber-level access where possible, especially for untrusted users. 4) Implement additional access control layers at the web server or application firewall level to restrict AJAX requests to trusted users or IP ranges. 5) Conduct audits of sensitive posts (password protected, private, draft) to identify any potentially exposed information. 6) Educate site administrators about the risk and encourage prompt response to suspicious activity. 7) Consider alternative plugins or custom solutions with stronger authorization enforcement if patching is delayed. These steps go beyond generic advice by focusing on immediate risk reduction and compensating controls until an official fix is released.