A logic flaw in WordPress' post type creation mechanism allows attackers with lower privileged user roles, such as contributors, to bypass security checks and create posts of any type, leading to features being exploited that were intended for administrators only. This vulnerability affects plugins such as Contact Form 7 and Jetpack, which can be used to read sensitive files like the wp-config.php file, containing database credentials and encryption keys. Plugin developers can fix this by explicitly setting capability and capability_type parameters when registering post types. The vulnerability was reported in August 2018 and patched in WordPress version 5.0.1. With thousands of potentially vulnerable plugins, the impact on a target site depends on what features are available for the exploited post type.