CVE-2021-24845: 
WordPress vulnerability analysis and mitigation

The Improved Include Page WordPress plugin through version 1.2 contains a security vulnerability (CVE-2021-24845) that was discovered and publicly disclosed on November 15, 2021. The vulnerability affects the plugin's shortcode functionality and allows users with Contributor-level access to retrieve arbitrary content they shouldn't have access to (WPScan Advisory).

The vulnerability stems from improper access controls in the plugin's shortcode implementation. The plugin allows passing shortcode attributes with posttype and poststatus parameters which can be exploited to retrieve unauthorized content. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity and requiring low privileges (NVD).

The vulnerability allows users with Contributor-level access to bypass access controls and view content they shouldn't have permission to access, including draft posts, private posts, and custom post types. This represents a significant breach of content access controls in WordPress installations using the affected plugin (WPScan Advisory).

As of the latest available information, there is no known fix for this vulnerability in the Improved Include Page plugin (WPScan Advisory).