CVE-2024-0681 - Vulnerability Details - OpenCVE

The Page Restriction WordPress (WP) – Protect WP Pages/Post plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.3.4. This is due to the plugin not properly restricting access to pages via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected pages. The vendor has decided that they will not implement REST API protection on posts and pages and the restrictions will only apply to the front-end of the site. The vendors solution was to add notices throughout the dashboard and recommends installing the WordPress REST API Authentication plugin for REST API coverage.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Miniorange	Page Restriction

Configuration 1 [-]

cpe:2.3:a:miniorange:page_restriction:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3034414%40page-and-post-restriction&new=3034414%40page-and-post-restriction&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/a3e33a5c-df7c-4ef5-a59c-1c31abcda6d1?source=cve

History

Tue, 11 Mar 2025 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Miniorange Miniorange page Restriction
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:miniorange:page_restriction::::::wordpress::*
Vendors & Products		Miniorange Miniorange page Restriction

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-03-13T15:27:08.355Z

Updated: 2024-08-08T20:02:18.711Z

Reserved: 2024-01-18T13:55:00.721Z

Link: CVE-2024-0681

Vulnrichment

Updated: 2024-08-01T18:11:35.735Z

NVD

Status : Analyzed

Published: 2024-03-13T16:15:12.767

Modified: 2025-03-11T13:33:45.277

Link: CVE-2024-0681

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-0681", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-01-18T13:55:00.721Z", "datePublished": "2024-03-13T15:27:08.355Z", "dateUpdated": "2024-08-08T20:02:18.711Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-03-13T15:27:08.355Z"}, "affected": [{"vendor": "cyberlord92", "product": "Page Restriction WordPress (WP) \u2013 Protect WP Pages/Post", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.3.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Page Restriction WordPress (WP) \u2013 Protect WP Pages/Post plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.3.4. This is due to the plugin not properly restricting access to pages via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected pages. The vendor has decided that they will not implement REST API protection on posts and pages and the restrictions will only apply to the front-end of the site. The vendors solution was to add notices throughout the dashboard and recommends installing the WordPress REST API Authentication plugin for REST API coverage."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3e33a5c-df7c-4ef5-a59c-1c31abcda6d1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3034414%40page-and-post-restriction&new=3034414%40page-and-post-restriction&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-693 Protection Mechanism Failure"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Francesco Carlucci"}], "timeline": [{"time": "2024-02-27T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:11:35.735Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3e33a5c-df7c-4ef5-a59c-1c31abcda6d1?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3034414%40page-and-post-restriction&new=3034414%40page-and-post-restriction&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "miniorange", "product": "page_restriction", "cpes": ["cpe:2.3:a:miniorange:page_restriction:*:*:*:*:*:wordpress:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.4", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-13T19:58:58.497260Z", "id": "CVE-2024-0681", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-08T20:02:18.711Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3e33a5c-df7c-4ef5-a59c-1c31abcda6d1?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3034414%40page-and-post-restriction&new=3034414%40page-and-post-restriction&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:11:35.735Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0681", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-13T19:58:58.497260Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:miniorange:page_restriction:*:*:*:*:*:wordpress:*:*"], "vendor": "miniorange", "product": "page_restriction", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3.4"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-08T20:02:14.496Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Francesco Carlucci"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "cyberlord92", "product": "Page Restriction WordPress (WP) \u2013 Protect WP Pages/Post", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.3.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-02-27T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3e33a5c-df7c-4ef5-a59c-1c31abcda6d1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3034414%40page-and-post-restriction&new=3034414%40page-and-post-restriction&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Page Restriction WordPress (WP) \u2013 Protect WP Pages/Post plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.3.4. This is due to the plugin not properly restricting access to pages via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected pages. The vendor has decided that they will not implement REST API protection on posts and pages and the restrictions will only apply to the front-end of the site. The vendors solution was to add notices throughout the dashboard and recommends installing the WordPress REST API Authentication plugin for REST API coverage."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-693 Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-03-13T15:27:08.355Z"}}}, "cveMetadata": {"cveId": "CVE-2024-0681", "state": "PUBLISHED", "dateUpdated": "2024-08-08T20:02:18.711Z", "dateReserved": "2024-01-18T13:55:00.721Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-03-13T15:27:08.355Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:miniorange:page_restriction:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "BF7830C6-9B48-4520-9699-DC99B77486DD", "versionEndExcluding": "1.3.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Page Restriction WordPress (WP) \u2013 Protect WP Pages/Post plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.3.4. This is due to the plugin not properly restricting access to pages via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected pages. The vendor has decided that they will not implement REST API protection on posts and pages and the restrictions will only apply to the front-end of the site. The vendors solution was to add notices throughout the dashboard and recommends installing the WordPress REST API Authentication plugin for REST API coverage."}, {"lang": "es", "value": "El complemento Page Restriction WordPress (WP) \u2013 Protect WP Pages/Post para WordPress es vulnerable a la divulgaci\u00f3n de informaci\u00f3n en todas las versiones hasta la 1.3.4 incluida. Esto se debe a que el complemento no restringe adecuadamente el acceso a las p\u00e1ginas a trav\u00e9s de la API REST cuando una p\u00e1gina se ha hecho privada. Esto hace posible que atacantes no autenticados vean p\u00e1ginas protegidas. El proveedor ha decidido que no implementar\u00e1 la protecci\u00f3n de la API REST en publicaciones y p\u00e1ginas y que las restricciones solo se aplicar\u00e1n al front-end del sitio. La soluci\u00f3n del proveedor fue agregar avisos en todo el panel y recomienda instalar el complemento de autenticaci\u00f3n de API REST de WordPress para la cobertura de API REST."}], "id": "CVE-2024-0681", "lastModified": "2025-03-11T13:33:45.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-03-13T16:15:12.767", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3034414%40page-and-post-restriction&new=3034414%40page-and-post-restriction&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3e33a5c-df7c-4ef5-a59c-1c31abcda6d1?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3034414%40page-and-post-restriction&new=3034414%40page-and-post-restriction&sfp_email=&sfph_mail="}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3e33a5c-df7c-4ef5-a59c-1c31abcda6d1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}