CVE-2024-11297: 
WordPress vulnerability analysis and mitigation

The Page Restriction WordPress (WP) – Protect WP Pages/Post plugin for WordPress contains a Sensitive Information Exposure vulnerability (CVE-2024-11297) affecting all versions up to and including 1.3.6. The vulnerability was discovered and disclosed on December 20, 2024. This plugin is designed to restrict access to WordPress pages and posts based on user roles (NVD).

The vulnerability exists in the WordPress core search feature implementation within the plugin. The issue allows unauthenticated attackers to bypass the plugin's content restrictions and access sensitive data from posts that were intended to be restricted to higher-level roles such as administrator. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and no required privileges (NVD).

When exploited, this vulnerability allows unauthorized users to extract sensitive information from posts and pages that were meant to be restricted to administrators or other higher-level roles. This could lead to the exposure of confidential content that was intended to be accessible only to privileged users (NVD).

Users of the Page Restriction WordPress plugin should upgrade to a version newer than 1.3.6 once available. As of the vulnerability disclosure, no official patch has been released. Site administrators should consider implementing additional access controls or temporarily disabling the plugin if the risk is deemed too high (NVD).