CVE-2023-49851

An attacker with a low-privileged WordPress account (e.g., Author, Contributor, or Editor) could exploit the missing authorization to be denied access to legitimate admin pages such as `/wp-admin/profile.php`. The plugin's permission check was applied globally in `display_admin_page()` instead of being scoped to the plugin's own settings page, causing the plugin to block all admin area access for users who lacked `manage_options` capability. This is a violation of the principle of least privilege and constitutes an incorrectly configured access control security level [CWE-862].

The vulnerability exists in the Square Thumbnails plugin for WordPress (versions through 1.1.1). The plugin's access control checks were incorrectly placed, allowing users without the `manage_options` capability (such as Authors, Contributors, and Editors) to be blocked from accessing their own profile page (`/wp-admin/profile.php`) and other admin areas. The permission check was performed in the `display_admin_page()` method rather than only in the `showPage()` method, causing a missing authorization check that affected all admin pages.

The patch moved the capability check from the `display_admin_page()` method to the `showPage()` method, as documented in the changelog for version 2.1.1 [ref_id=1]. This ensures that only the plugin's own settings page (the Square Thumbnails admin page) requires the `manage_options` capability, while all other WordPress admin pages remain accessible to users with lower privileges. The fix correctly scopes the authorization check to the specific resource that needs protection.