Hubbub Lite < 1.33.1 - Unauthenticated Password Protected Posts Access
Description
The Hubbub Lite WordPress plugin before 1.33.1 does not ensure that user have access to password protected post before displaying its content in a meta tag.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <1.33.1
Patches
Vulnerability mechanics
Root cause
"Missing access control check before displaying password-protected post content in a meta tag."
Attack vector
An unauthenticated attacker can trigger the vulnerability by requesting a page that contains a password-protected post while the Hubbub Lite plugin is active [ref_id=1]. The plugin outputs the post content into a meta tag without first verifying that the visitor has supplied the correct password, thereby leaking the protected content to anyone who requests the page [ref_id=1]. No authentication or special privileges are required.
Affected code
The plugin does not ensure that users have access to password-protected posts before displaying their content in a meta tag [ref_id=1]. The specific file and function responsible are not detailed in the advisory.
What the fix does
The advisory states the vulnerability is fixed in version 1.33.1 of the Hubbub Lite plugin [ref_id=1]. No patch diff is provided, but the fix presumably adds an access check (e.g., `post_password_required()`) before outputting the post content into the meta tag, ensuring that only users who have supplied the correct password can see the protected content.
Preconditions
- configThe site must have at least one password-protected post published.
- configThe Hubbub Lite plugin (social-pug) must be active and version below 1.33.1.
- authNo authentication is required; the attacker can be unauthenticated.
Reproduction
Create a password-protected post on a WordPress site running Hubbub Lite
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/1664697e-0ea3-4d09-b2fd-153a104ec255/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.