WooCommerce 2.1.6 contains a vulnerability capable to display any post title of any type. This is included since 2.0.
It therefore becomes possible, modifying the purchase address directly in the address bar, to display post title from any type and any status.
We can display titles from drafts, pendings, protected, et other Custom Post Type even if not designed to be displayed in front-end.
Knowing that it exists some membership managment plugin which use their own CPT “member” and their titles are email addresses, the danger is hight. This information should not be displayed, or the type and status have to be checked in a better way.
This can seems harmless, but think to this plugins which use the titles to store some private informations, not designed to be displayed in front-end, or a private bbpress forum, using this exploit you can read some protected posts titles.
The commit 55ad5bb0ad6191cd46c7d5055a1244bc87734912 patch the flaw in 2.1.8 only deleting the display, keep updated!
I did not have th chance to be quoted therefore a responsible disclose, it means i wait for a patch to advise the world, in place of disclose everywhere before a patch.
The plugin’s changelog does not talk about the vulnerability, neither the modificatin. Strange secret …