CVE-2021-24851: 
WordPress vulnerability analysis and mitigation

The Insert Pages WordPress plugin before version 3.7.0 contains a security vulnerability (CVE-2021-24851) that allows users with Contributor-level privileges to access content and metadata from arbitrary posts/pages, regardless of their author and status (including private content). This vulnerability was discovered and disclosed on October 18, 2021. The issue affects all versions of the Insert Pages WordPress plugin prior to version 3.7.0, though password-protected posts and pages remain unaffected by this vulnerability (WPScan).

The vulnerability is classified as an Incorrect Authorization issue (CWE-863) with a CVSS v3.1 Base Score of 4.3 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability stems from improper access control implementation in the plugin's shortcode functionality, which fails to properly validate user permissions when accessing post content (NVD).

The vulnerability allows users with Contributor-level access to view content and metadata from any post or page on the WordPress site, including private content, regardless of the content's author or status. This represents a significant breach of content access controls, potentially exposing sensitive or restricted information to unauthorized users (WPScan).

The vulnerability has been patched in version 3.7.0 of the Insert Pages plugin. Site administrators are strongly advised to update to this version or later to address the security issue. The fix was implemented through a patch that properly validates user permissions before allowing access to post content (WordPress Plugins).