CVE-2024-0965 in Simple Page Access Restriction Plugin
Summary
by MITRE • 02/08/2024
The Simple Page Access Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.21 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's page restriction and view page content.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/12/2026
The Simple Page Access Restriction plugin for WordPress presents a critical security vulnerability classified as CVE-2024-0965, which affects all versions up to and including 1.0.21. This vulnerability manifests as a sensitive information exposure flaw within the plugin's REST API implementation, creating a significant security risk for WordPress installations that rely on this access restriction mechanism. The vulnerability fundamentally undermines the intended security controls of the plugin by allowing unauthorized access to restricted content, thereby compromising the confidentiality of protected page information.
The technical flaw stems from inadequate authentication and authorization checks within the plugin's REST API endpoints. When the plugin processes requests through its REST API interface, it fails to properly validate whether the requesting entity has legitimate access rights to the requested page content. This authentication bypass occurs because the API endpoints do not enforce proper access controls, allowing any unauthenticated attacker to make requests that would normally be restricted to authorized users only. The vulnerability operates at the application layer and specifically targets the API communication channel, making it particularly dangerous as it can be exploited through automated tools and scripts without requiring any prior credentials or privileged access.
The operational impact of this vulnerability extends beyond simple information disclosure, as it fundamentally compromises the security posture of WordPress sites using the affected plugin. Attackers can exploit this vulnerability to gain unauthorized access to restricted pages, potentially including sensitive business information, personal data, internal communications, or confidential resources that should only be accessible to authorized users. This exposure creates risks for compliance violations under data protection regulations such as gdpr, ccpa, and other privacy frameworks. The vulnerability also enables potential escalation attacks where attackers might use the exposed information to plan more sophisticated attacks against the target organization's infrastructure.
Security professionals should consider this vulnerability in the context of the mitre attack framework, where it maps to the initial access phase through the use of unpatched software vulnerabilities. The flaw aligns with common weakness enumeration cwe-200, which describes improper output neutralization for logs, and cwe-352, which covers cross-site request forgery. Organizations using this plugin must implement immediate mitigation strategies including applying the latest available patch, temporarily disabling the REST API endpoints if possible, or implementing additional network-level controls to restrict access to the affected API paths. The vulnerability also highlights the importance of proper input validation and access control implementation in wordpress plugins, as recommended by the owasp top ten project and the wordpress security hardening guidelines.
Mitigation efforts should prioritize immediate patching of the plugin to version 1.0.22 or later, which contains the necessary security fixes to address the authentication bypass issue. System administrators should also conduct comprehensive vulnerability assessments to identify all instances of the affected plugin across their wordpress installations, particularly in environments where sensitive data might be exposed. Network administrators should consider implementing rate limiting and access control rules at the firewall or reverse proxy level to limit potential exploitation attempts. Additionally, organizations should review their overall security monitoring procedures to detect anomalous API access patterns that might indicate exploitation attempts, as the vulnerability could be leveraged for reconnaissance activities before more targeted attacks are launched. The security community should also be aware that this vulnerability demonstrates how seemingly simple access control mechanisms can be undermined through API design flaws, emphasizing the need for comprehensive security testing of all plugin components before deployment in production environments.