{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1504", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-20T18:35:41.066Z", "datePublished": "2025-03-08T02:24:03.840Z", "dateUpdated": "2026-04-08T16:49:23.294Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:23.294Z"}, "affected": [{"vendor": "andyexeter", "product": "Post Lockdown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Post Lockdown plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.0.2 via the 'pl_autocomplete' AJAX action due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract data from password protected, private, or draft posts that they should not have access to."}], "title": "Post Lockdown <= 4.0.2 - Missing Authorization to Authenticated (Subscriber+) Post Disclosure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/447cef6f-fa2e-4087-946d-6e0214830ea9?source=cve"}, {"url": "https://wordpress.org/plugins/post-lockdown/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3253378%40post-lockdown&new=3253378%40post-lockdown&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Krzysztof Zaj\u0105c"}], "timeline": [{"time": "2025-03-07T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-10T16:02:54.272275Z", "id": "CVE-2025-1504", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T16:03:01.730Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1504", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-10T16:02:54.272275Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T16:02:58.326Z"}}], "cna": {"title": "Post Lockdown <= 4.0.2 - Missing Authorization to Authenticated (Subscriber+) Post Disclosure", "credits": [{"lang": "en", "type": "finder", "value": "Krzysztof Zaj\u0105c"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "andyexeter", "product": "Post Lockdown", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-07T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/447cef6f-fa2e-4087-946d-6e0214830ea9?source=cve"}, {"url": "https://wordpress.org/plugins/post-lockdown/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3253378%40post-lockdown&new=3253378%40post-lockdown&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Post Lockdown plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.0.2 via the 'pl_autocomplete' AJAX action due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract data from password protected, private, or draft posts that they should not have access to."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:23.294Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1504", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:49:23.294Z", "dateReserved": "2025-02-20T18:35:41.066Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-08T02:24:03.840Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:andypalmer:post_lockdown:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "C556284A-846A-4506-9632-A7C49481C0AC", "versionEndIncluding": "4.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Post Lockdown plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.0.2 via the 'pl_autocomplete' AJAX action due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract data from password protected, private, or draft posts that they should not have access to."}, {"lang": "es", "value": "El complemento Post Lockdown para WordPress es vulnerable a la exposici\u00f3n de informaci\u00f3n en todas las versiones hasta la 4.0.2 incluida a trav\u00e9s de la acci\u00f3n AJAX 'pl_autocomplete' debido a restricciones insuficientes sobre qu\u00e9 publicaciones se pueden incluir. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, extraigan datos de publicaciones protegidas con contrase\u00f1a, privadas o borradores a las que no deber\u00edan tener acceso."}], "id": "CVE-2025-1504", "lastModified": "2026-04-08T18:24:25.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-08T03:15:37.393", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3253378%40post-lockdown&new=3253378%40post-lockdown&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/post-lockdown/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/447cef6f-fa2e-4087-946d-6e0214830ea9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T01:59:17.589966+00:00", "value": {"mitigation_remediation": ["Upgrade the Post Lockdown plugin to a version newer than 4.0.2, if an update is available.", "Limit Subscriber role capabilities or revoke access to the pl_autocomplete AJAX endpoint.", "Disable or remove the pl_autocomplete AJAX action from the plugin if it is not required for site functionality."], "summary": {"action": "Apply patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress plugin Post Lockdown by Andyexeter. All versions up to and including 4.0.2 of the plugin are affected. The vulnerability resides specifically in the plugin\u2019s handling of AJAX requests. The common platform enumeration indicates it runs on the WordPress CMS.", "description_and_impact": "The Post Lockdown plugin for WordPress is vulnerable to information exposure due to insufficient authorization (CWE-862) on the 'pl_autocomplete' AJAX action. Authenticated users with Subscriber-level or higher privileges can retrieve content from posts that should be locked, including password-protected, private, or draft posts. This allows the disclosure of confidential post data.", "risk_and_exploitability": "The CVSS score is 4.3, indicating moderate impact, and the EPSS score is less than 1%, showing a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated at least with Subscriber role to exploit it, which suggests that the exploit requires an existing credential and the ability to perform AJAX calls against the site\u2019s admin area. If an attacker gains or steals Subscriber credentials, they can easily request the 'pl_autocomplete' endpoint and read the hidden post contents."}}}}, "created": "2026-04-22T02:00:05.043968+00:00", "updated": "2026-04-22T02:00:05.043980+00:00", "vendors": []}