Vulnerability detected | WordPress.org

Resolved vlidi
(@vlidi)

2 months, 1 week ago
Just received this:
- Vulnerability: WordPress Custom Layouts – Post + Product grids made easy plugin <= 1.4.12 – Broken Access Control vulnerability.
- Severity: Medium.
Needs patching ASAP.

Viewing 2 replies - 1 through 2 (of 2 total)

goldtop
(@goldtop)

2 months, 1 week ago

Yeah I saw the same thing: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/custom-layouts/custom-layouts-post-product-grids-made-easy-1412-missing-authorization
Plugin Author Code Amp
(@codeamp)

2 months ago
Hi all, thanks for flagging this, we’ve just released an update with this fixed.

FYI the issue was considered low impact, but it was necessary to address.

Essentially, using the individual [custom-template] shortcode, which allows you to choose any post ID to display, a user (with privliges to create posts on your site) could have passed in an ID for a post they were not allowed to see, and then use the “preview” tool to preview the page with that post content in it.

That has now been patched in 1.5.0.
- This reply was modified 2 months ago by Code Amp.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

3 replies
3 participants
Last reply from: Code Amp
Last activity: 2 months ago
Status: resolved