CVE-2024-10796 MEDIUM

CVE-2024-10796: If-So Dynamic Content Personalization <= 1.9.2.1 - Authenticated (Contributor+) Post Disclosure

Vendor Ifso
Product If-So Dynamic Content Personalization
Weakness CWE-639 · IDOR
Published November 21, 2024
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The If-So Dynamic Content Personalization plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.2.1 via the 'ifso-show-post' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created via Elementor that they should not have access to.

Explanation of Vulnerability in Simple Terms

02Summary

If-So Dynamic Content Personalization versions up to 1.9.2.1 contain an authorization flaw that allows authenticated users to access sensitive information they should not be able to view. The vulnerability requires a valid user account but no special privileges. An attacker with low-level access can read data intended for other users or administrators.

What an attacker can do

03Attacker Capabilities

Read sensitive information or data belonging to other users or higher-privilege accounts.

Potential impact on your site

04Site Impact

Authenticated users can access confidential data beyond their intended permissions, risking data leakage.

Conditions required to exploit

05Prerequisites

Attacker must have a valid user account with low-level privileges; no user interaction required.

Key dates

06Disclosure timeline

November 21, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE