This issue affects your site if it is hosted on WordPress, and you use ACLs to restrict access to contact data.
It was identified that CiviCRM on WordPress CMS did not correctly trigger ACL checks when viewing CiviCRM profile URLs via checksum. This might lead sites to disclose some contact data via profile pages.
- 4.7.13
- 4.6.23
- 4.7.14
- 4.6.24
Upgrade to the latest CiviCRM release.
If you cannot upgrade to the latest CiviCRM version apply the patch here https://github.com/civicrm/civicrm-core/pull/8707
Brian Shaughnessy for reporting the issue and providing a fix