CVE-2024-0909: 
WordPress vulnerability analysis and mitigation

The Anonymous Restricted Content plugin for WordPress (CVE-2024-0909) contains an information disclosure vulnerability affecting all versions up to and including 1.6.2. The vulnerability was discovered by Francesco Carlucci and publicly disclosed on February 2, 2024 (Wordfence Report).

The vulnerability stems from insufficient restrictions through the REST API on the posts/pages where protections are being placed. The severity of this vulnerability has been assessed with different CVSS v3.1 scores: NIST rates it as HIGH with a base score of 7.5 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), while Wordfence rates it as MEDIUM with a base score of 5.3 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) (NVD).

The vulnerability allows unauthenticated attackers to access protected content on WordPress sites running the affected plugin versions. This could lead to the exposure of sensitive or restricted information that was intended to be protected by the plugin (NVD).

Site administrators running the Anonymous Restricted Content plugin should immediately update to a patched version of the plugin. Multiple patches have been released to address this vulnerability (WordPress Plugin).