Cyber Resilience

CVE-2024-11090

Medium

Published: 26 January 2025

Published
26 January 2025
Modified
30 January 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0009 25.0th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11090 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Liquidweb Restrict Content. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-11090 is a sensitive information exposure vulnerability (CWE-200) in the Membership Plugin – Restrict Content for WordPress, affecting all versions up to and including 3.2.13. The flaw occurs via the WordPress core search feature, enabling the extraction of sensitive data from posts restricted to higher-level roles such as administrator.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). Exploitation allows remote attackers with no privileges to access low-impact confidential data from protected posts, without affecting integrity or availability.

Mitigation details are available in the WordPress plugins trac changeset 3227065 at https://plugins.trac.wordpress.org/changeset/3227065/restrict-content, which addresses the issue. Further advisory information is provided by Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/7615c391-ccb1-4990-bbfd-949782cc609a?source=cve.

EU & UK References

Vulnerability details

The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.13 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data…

more

from posts that have been restricted to higher-level roles such as administrator.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability enables unauthenticated remote exploitation of a public-facing WordPress plugin to bypass access controls and extract restricted data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-14844Same product: Liquidweb Restrict Content
CVE-2024-13796Shared CWE-200
CVE-2025-25975Shared CWE-200
CVE-2024-12142Shared CWE-200
CVE-2025-25951Shared CWE-200
CVE-2026-34297Shared CWE-200
CVE-2024-26480Shared CWE-200
CVE-2026-24498Shared CWE-200
CVE-2025-22828Shared CWE-200
CVE-2026-23659Shared CWE-200

Affected Assets

liquidweb
restrict content
≤ 3.2.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the specific flaw in the Membership Plugin via patching directly prevents unauthenticated attackers from extracting sensitive data from restricted posts through the WordPress search feature.

prevent

Enforcing approved authorizations for access to restricted posts ensures the search feature does not bypass role-based protections, blocking unauthorized exposure of sensitive information.

prevent

Filtering information output from search results based on user authorizations prevents the disclosure of sensitive data from higher-level restricted posts to unauthenticated attackers.

References