@jakobols – Admittedly this one got by us early on, but we have been on it for some time. The trick was finding a solution that resolved the issue as outlined, but also that didn’t require breaking existing functionality/expectations, complete rewrite of the plugin, or introducing new side-effects or compatibility issues with other plugins.
Many of the solutions we fully considered would have required completely removing many of the features that have long made this plugin so flexible.
Luckily we worked with someone on the Plugins Team to come up with a simple yet elegant solution that resolves it by default, and still maintains full capabilities.
Also just note, this was less of a security vulnerability in the sense of your site could get hacked, and more of a content could be brute forced via the search. Because of the extremely low security risk and potential future issues stemming from bad choice of solution now, we did take a bit longer than our typical response to something like this which is usually days (from the finding, not announcement).
You can read about this specific issue here: https://contentcontrolplugin.com/docs/security/preventing-bots-from-discovering-restricted-content/#how-content-can-be-exposed
Just for extra reference, it further relied on you setting it up to allow your content to appear for restricted users, but with your “restricted content” message. If you used redirects, or were already hiding content from archives then it wouldn’t have had any impact on your sites at all.
