Smart Custom Fields WordPress Plugin Missing Capability Check Vulnerability Allowing Unauthorized Data Access

A vulnerability exists in the Smart Custom Fields plugin for WordPress, in all versions through 5.0.6. The issue arises from a lack of proper capability checks in the 'relational_posts_search' function, which is part of the AJAX actions provided by the plugin. This flaw allows authenticated users with Contributor-level access and above to access private and draft posts from other authors. The function retrieves full WP_Post objects, including the post content, by querying posts with any status. However, it only verifies a generic editing capability, failing to ensure that the user has the right to read each specific post.

Impact

Exploitation of this vulnerability could lead to unauthorized access to private and draft post content from other authors, potentially exposing sensitive information.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can send a request to the 'smart-cf-relational-posts-search' AJAX action. This request can include post types and other parameters, but the key aspect is that the user must have the 'edit_posts' capability, which is granted to Contributors and higher. Once the request is processed, the user will receive a response containing WP_Post objects from other authors, including private and draft posts.

Remediation

Users are advised to update the Smart Custom Fields plugin to version 5.0.7 or later, where this vulnerability has been patched.