CVE-2023-4036: 
WordPress vulnerability analysis and mitigation

The Simple Blog Card WordPress plugin before version 1.32 contains a security vulnerability identified as CVE-2023-4036. The vulnerability was discovered and disclosed on August 7, 2023. This security issue affects the plugin's shortcode functionality and impacts WordPress installations using Simple Blog Card versions prior to 1.32 (WPScan, NVD).

The vulnerability stems from improper access control in the plugin's shortcode functionality. The plugin fails to verify whether posts to be displayed via shortcode are public, which creates a security weakness. The issue has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. It is classified as an Insecure Direct Object Reference (IDOR) vulnerability and falls under the OWASP Top 10 category A5: Broken Access Control (WPScan, NVD).

The vulnerability allows any authenticated users, including those with subscriber-level access, to retrieve arbitrary post titles and content, including draft posts, private posts, and password-protected content that they should not have access to (WPScan).

The vulnerability has been fixed in version 1.32 of the Simple Blog Card plugin. Website administrators are advised to update to this version or later to protect against this security issue (WPScan).