Merge pull request #46 from tomusborne/release/1.1.5

Release: 1.1.5

readme.txt

@@ -4,7 +4,7 @@ Donate link: https://wpshowposts.com
 Tags: show posts, display posts shortcode, portfolio, gallery, post columns
 Requires at least: 4.5
 Tested up to: 6.1
-Stable tag: 1.1.4
+Stable tag: 1.1.5
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -167,6 +167,9 @@ In most cases, #1 will work fine and is way easier.
 
 == Changelog ==
 
+= 1.1.5 =
+* Security: Add user capability check for post status
+
 = 1.1.4 =
 * Security: Improve escaping of settings that display HTML
 * Tweak: Add wpsp_query_args filter

wp-show-posts.php

@@ -3,7 +3,7 @@
 Plugin Name: WP Show Posts
 Plugin URI: https://wpshowposts.com
 Description: WP Show Posts allows you to list posts (from any post type) anywhere on your site. This includes WooCommerce products or any other post type you might have! Check out the pro version for even more features at https://wpshowposts.com.
-Version: 1.1.4
+Version: 1.1.5
 Author: Tom Usborne
 Author URI: https://tomusborne.com
 License: GNU General Public License v2 or later
@@ -17,7 +17,7 @@
 }
 
 // Define the current version
-define( 'WPSP_VERSION', '1.1.4' );
+define( 'WPSP_VERSION', '1.1.5' );
 
 // Add resizer script
 if ( ! class_exists( 'WPSP_Resize' ) ) {
@@ -233,6 +233,11 @@ function wpsp_display( $id, $custom_settings = false ) {
 		$args['post_status'] = $validated;
 	}
 
+	// Prevent private posts from showing up for non-authenticated users.
+	if ( isset( $args['post_status'] ) && ! current_user_can( 'read_private_posts' ) ) {
+		$args['post_status'] = array( 'publish' );
+	}
+
 	// If taxonomy attributes, create a taxonomy query
 	if ( ! empty( $settings[ 'taxonomy' ] ) && ! empty( $settings[ 'tax_term' ] ) ) {