Can you explain this vulnerability to me?

This vulnerability exists in the Schedule Post Changes With PublishPress Future WordPress plugin (up to version 4.9.2). It is caused by a missing capability check on the getAuthors function, allowing authenticated users with Contributor-level access or higher to access email addresses of all users who have the edit_posts capability, which they should not normally be able to retrieve.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability can lead to unauthorized disclosure of user email addresses to attackers who have at least Contributor-level access. This could result in privacy violations, targeted phishing attacks, or other malicious activities leveraging the exposed email information.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows authenticated attackers with Contributor-level access and above to retrieve emails of all users with edit_posts capability, potentially leading to unauthorized disclosure of personal data. Such unauthorized access to user email addresses could result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal information against unauthorized access.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately update the Schedule Post Changes With PublishPress Future plugin to a version later than 4.9.2 where the missing capability check on the getAuthors function is fixed. Additionally, restrict Contributor-level access and above to trusted users only until the update is applied.

Useful 0 Not Useful 0