Hash Elements <= 1.4.7 - Missing Authorization to Unauthenticated Draft Post Title Exposure

Vulnerability

The Hash Elements plugin for WordPress, in all versions up to and including 1.4.7, contains a missing capability check in the hash_elements_get_posts_title_by_id() function [1]. This function is intended to retrieve post titles but does not verify that the requesting user has sufficient privileges. As a result, unauthenticated attackers can exploit this endpoint to obtain the titles of draft posts, which should be inaccessible to users without edit capabilities. The vulnerability affects versions 1.0.0 through 1.4.7 of the plugin.

Exploitation

An attacker needs no authentication or special network position; the vulnerable function can be called via a direct HTTP request to the WordPress AJAX endpoint. By sending a crafted request with a post ID parameter, the attacker triggers hash_elements_get_posts_title_by_id(), which returns the title of the specified post, including draft posts that were created but not published. No user interaction or privileged access is required.

Impact

Successful exploitation allows an unauthenticated attacker to retrieve the titles of draft posts. This leads to unauthorized information disclosure, potentially revealing sensitive content or upcoming publications. The attacker gains no write or execute capabilities, and the scope is limited to post titles (not full content or other data).

Mitigation

The vulnerability is fixed in version 1.4.8 of the Hash Elements plugin. Users should update to the latest version available (1.5.5 as of the reference date) to ensure protection. If updating is not immediately possible, site administrators may consider disabling the plugin until the update is applied. The plugin is actively maintained and no workaround other than patching is recommended.