CVE-2023-1371: 
WordPress vulnerability analysis and mitigation

CVE-2023-1371 affects the W4 Post List WordPress plugin versions before 2.4.6. The vulnerability was discovered and publicly disclosed on March 22, 2023. This security flaw allows authenticated users, including those with subscriber-level access, to view the content of password-protected posts without proper authorization (WPScan).

The vulnerability stems from a lack of proper authorization checks in the plugin's functionality. The W4 Post List plugin fails to verify whether users have the necessary permissions to access password-protected posts before displaying their content. The vulnerability has been assigned a CVSS score of 6.5 (medium severity) and is classified as a 'NO AUTHORISATION' issue under OWASP Top 10 category A5: Broken Access Control, with a CWE classification of CWE-862 (WPScan).

The vulnerability allows any authenticated user, regardless of their privilege level, to bypass password protection mechanisms and access the content of password-protected posts. This creates a significant security risk as sensitive or restricted content could be exposed to unauthorized users (NVD).

The vulnerability has been patched in version 2.4.6 of the W4 Post List plugin. Site administrators are strongly advised to update to this version or later to protect against unauthorized access to password-protected content (WPScan).