CVE-2024-11292: 
WordPress vulnerability analysis and mitigation

The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 3.6.1. This vulnerability was discovered and disclosed on December 6, 2024. The plugin, which is designed to protect WordPress site content from unauthorized access, contains a flaw that allows unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator via the WordPress core search feature (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The issue stems from improper implementation of content restrictions when interacting with WordPress's core search functionality, allowing unauthorized access to protected content (NVD, WordPress Plugin).

The vulnerability allows unauthenticated attackers to bypass content restrictions and access sensitive information that should only be available to users with administrator privileges. This could lead to the exposure of confidential data that was intended to be restricted to specific user roles (NVD).

Users should update to a version newer than 3.6.1 if available. The latest version (3.6.2) includes a fix specifically addressing issues related to searching restricted posts (WordPress Plugin).