Auth bypass in Web Stories for WordPress plugin
Description
Author role users in Web Stories for WordPress could bypass password protection when duplicating stories, exposing protected content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Author role users in Web Stories for WordPress could bypass password protection when duplicating stories, exposing protected content.
Vulnerability
The Web Stories for WordPress plugin (versions prior to 1.32) failed to properly enforce permission checks when users with the Author role attempted to duplicate password-protected stories. The plugin's dashboard allowed duplication without verifying the user's capability to edit such protected content. [1]
Exploitation
An attacker with an Author-level account on a WordPress site using the plugin could navigate to the Web Stories dashboard and duplicate a password-protected story. No additional authentication or user interaction is required beyond having the Author role. [1]
Impact
Successful exploitation allows the attacker to access the content of password-protected stories, which may contain sensitive information. The attacker gains read access to the protected story data, bypassing the intended password restriction. [1]
Mitigation
The vulnerability is fixed in version 1.32 of the Web Stories for WordPress plugin, released on 2023-05-08 [2]. Users should upgrade to version 1.32 or later. The fix ensures that permission checks are properly performed when duplicating stories, preventing unauthorized access. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Google/Web Stories for WordPressv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin did not properly check user permissions when duplicating password-protected stories."
Attack vector
An attacker with the 'Author' role in WordPress can attempt to duplicate a password-protected story. The plugin's dashboard allows users to initiate a duplication process for stories. During this process, the plugin fails to enforce the permission check that would normally prevent authors from accessing or duplicating password-protected content.
Affected code
The vulnerability exists in the `create_item` method within the `Stories_Base_Controller` class of the Web Stories for WordPress plugin. The duplication functionality, intended to be restricted, was accessible without proper authorization checks for password-protected posts [ref_id=1].
What the fix does
The patch modifies the permission checks within the plugin's REST API controller for duplicating stories. Specifically, it ensures that the `create_item` method correctly verifies if the current user has the necessary permissions to duplicate a password-protected post before proceeding. This prevents users with insufficient privileges, such as the 'Author' role, from bypassing content protection by duplicating protected stories [ref_id=1].
Preconditions
- authThe attacker must have an 'Author' role in WordPress.
- inputThe attacker needs to know the ID of a password-protected story.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.