Security Risk: 
Moderately Critical
Vulnerability: 
Access Bypass
Affected Versions: 

 

  • 4.7.13
  • 4.6.23
Fixed Versions: 
  • 4.7.14
  • 4.6.24
Publication Date: 
Tuesday, November 29, 2016
Description: 

This issue affects your site if it is hosted on WordPress, and you use ACLs to restrict access to contact data.

It was identified that CiviCRM on WordPress CMS did not correctly trigger ACL checks when viewing CiviCRM profile URLs via checksum. This might lead sites to disclose some contact data via profile pages.

Solutions: 

Upgrade to the latest CiviCRM release.

If you cannot upgrade to the latest CiviCRM version apply the patch here https://github.com/civicrm/civicrm-core/pull/8707

Credits: 

Brian Shaughnessy for reporting the issue and providing a fix

References: