CVE-2024-12447

The Get Post Content Shortcode plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.4 via the 'post-content' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the content of password-protected, private, draft, and pending posts.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/get-post-content-shortcode/trunk/get-post-content-shortcode.php#L106
https://www.wordfence.com/threat-intel/vulnerabilities/id/c2b92091-e615-484f-b402-2e793eed214d?source=cve

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) El complemento Get Post Content Shortcode para WordPress es vulnerable a la Referencia directa a objetos inseguros en todas las versiones hasta la 0.4 incluida a través del código abreviado 'post-content' debido a la falta de validación en una clave controlada por el usuario. Esto permite que atacantes autenticados, con acceso de nivel de colaborador y superior, lean el contenido de publicaciones protegidas con contraseña, privadas, en borrador y pendientes.

14 Dec 2024, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-14 05:15

Updated : 2026-04-15 00:35

NVD link : CVE-2024-12447

Mitre link : CVE-2024-12447

CVE.ORG link : CVE-2024-12447

JSON object : View

Products Affected

No product.

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

4.3 /10