The Intranet & Private Site – All-In-One Intranet plugin is vulnerable to an unauthenticated broken access control flaw, posing a significant risk of unauthorized data exposure.

This vulnerability involves a flaw in access control mechanisms that permits unauthenticated remote attackers to bypass security restrictions and access private intranet resources. The issue stems from insufficient capability checks within the plugin's core functions.

Successful exploitation of this vulnerability allows unauthorized actors to bypass authentication, potentially exposing sensitive internal organizational data, user information, or private site configurations. With a CVSS score of 7.5, this high-severity flaw threatens the confidentiality and integrity of the intranet environment, which could lead to significant reputational damage and data privacy compliance issues.

Immediate Action: Review the vendor’s security portal immediately and apply the latest available updates or security patches for the plugin.

Proactive Monitoring: Monitor server access logs for anomalous requests directed at intranet endpoints or unexpected 200 OK responses from unauthenticated sessions.

Compensating Controls: Deploy a Web Application Firewall (WAF) rule to block suspicious traffic patterns or unauthorized access attempts to the plugin’s directory paths until a patch is applied.

Public Exploit Available: false

Given the high CVSS score and the potential for unauthorized data exposure, organizations should prioritize the remediation of this vulnerability. Administrators must verify their current plugin version and apply updates immediately upon release to mitigate the risk of unauthorized access to sensitive internal data.