Qubely Advanced Gutenberg Blocks WordPress Plugin Sensitive Information Exposure Vulnerability

A vulnerability allowing sensitive information exposure has been identified in the Qubely - Advanced Gutenberg Blocks plugin for WordPress, affecting all versions through 1.8.13. The issue arises in the 'qubely_get_content' function, where authenticated attackers with Contributor-level access and above can access sensitive post data, including private, pending, scheduled, password-protected, draft, and trashed posts.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive post information, which could include private or otherwise restricted content.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can send a request to the WordPress REST API endpoint 'qubely/v1/qubely_get_content/'. This request must include the 'postId' parameter, which should be the ID of a post that contains sensitive information such as private, pending, scheduled, password-protected, draft, or trashed status. The response will include the post content, demonstrating the exposure of sensitive information.

Remediation

Users are advised to update the Qubely - Advanced Gutenberg Blocks plugin to version 1.8.14 or later.