Logo Carousel < 3.4.2 - Unauthorised Private Post Access
Description
The Logo Carousel WordPress plugin before 3.4.2 allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication feature
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/Logo Carouseldescription
- Range: <3.4.2
Patches
Vulnerability mechanics
Root cause
"Missing authorization check in the Carousel Duplication feature allows users to duplicate and view arbitrary private posts."
Attack vector
An attacker with a Contributor-level role (or higher) can exploit the Carousel Duplication feature to duplicate and view arbitrary private posts authored by other users [ref_id=1]. The plugin fails to verify that the user performing the duplication has permission to access the target private post, enabling an Insecure Direct Object Reference (IDOR) attack [CWE-639]. The attacker simply needs to interact with the duplication functionality and provide a reference to another user's private post.
Affected code
The advisory does not specify exact files or functions. The vulnerability resides in the "Carousel Duplication" feature of the Logo Carousel WordPress plugin (logo-carousel-free) versions before 3.4.2 [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 3.4.2 of the plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably adds proper authorization checks to the Carousel Duplication feature so that users can only duplicate posts they own or have explicit permission to view.
Preconditions
- authAttacker must have a WordPress user account with at least the Contributor role.
- configThe target site must be running Logo Carousel plugin version before 3.4.2.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/2afadc76-93ad-47e1-a224-e442ac41cbcemitrex_refsource_MISC
News mentions
0No linked articles in our index yet.