What the vulnerability does
01Description
The If-So Dynamic Content Personalization plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.2.1 via the 'ifso-show-post' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created via Elementor that they should not have access to.
Explanation of Vulnerability in Simple Terms
02Summary
If-So Dynamic Content Personalization versions up to 1.9.2.1 contain an authorization flaw that allows authenticated users to access sensitive information they should not be able to view. The vulnerability requires a valid user account but no special privileges. An attacker with low-level access can read data intended for other users or administrators.
What an attacker can do
03Attacker Capabilities
Read sensitive information or data belonging to other users or higher-privilege accounts.
Potential impact on your site
04Site Impact
Authenticated users can access confidential data beyond their intended permissions, risking data leakage.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account with low-level privileges; no user interaction required.
Key dates
06Disclosure timeline
November 21, 2024
CVE published
April 8, 2026
Record updated