diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4bc9452..d281b2c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,17 @@
 # CHANGELOG
 
+## 0.93.0
+
+* Don't skip password protected filter when showing content.
+* Sanitize post_status so some posts are only shown if user is Editor or Administrator.
+* Addresses reported vulnerability: `CVE-2025-11377, Authenticated (Contributor+) Information Exposure`. `
+  * CVSS Severity Score: 4.3 (Medium)
+  * CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
+  * Organization: Wordfence
+  * Vulnerability Researcher(s): Athiwat Tiprasaharn (Jitlada)
+
+This is a low risk vulnerability that could potentially be executed by an authenticated attacker, with contributor-level access and above. But it should be fixed with this version.
+
 ## 0.92.0
 
 * Avoids potential SQL injection in `starting_with` parameter - CVE-2025-10163. This solves SQL injection and results in `starting_with` working as per the Wiki, but the previous code also allowed things like `[catlist starting_with="Hello"]` which would return posts starting with "Hello" but not just with "H". This new implementation would return both, because only the first character matters, which is ok because that's what is documented.
diff --git a/include/lcp-catlist.php b/include/lcp-catlist.php
index b0cac96..eef24a3 100644
--- a/include/lcp-catlist.php
+++ b/include/lcp-catlist.php
@@ -91,6 +91,9 @@ private function set_lcp_parameters(){
     // http://core.trac.wordpress.org/browser/tags/3.7.1/src/wp-includes/post.php#L1686
     $args['posts_per_page'] = $args['numberposts'];
 
+    if (isset($args['post_status'])){
+      $args['post_status'] = $this->sanitize_status($args['post_status']);
+    }
     do_action( 'lcp_pre_run_query', $args );
 
     if ('no' === $this->params['main_query']) {
@@ -444,16 +447,23 @@ public function get_content($single) {
     if (isset($this->params['content']) &&
         ($this->params['content'] =='yes' || $this->params['content'] == 'full') &&
         $single->post_content){
-      // get_extended - get content split by <!--more-->
-      $lcp_extended = get_extended($single->post_content);
-      $lcp_content = $lcp_extended['main'];
-      $lcp_content = apply_filters('the_content', $lcp_content);
-      $lcp_content = str_replace(']]>', ']]&gt', $lcp_content);
+      // If the post is password protected, set the password form in the content.
+      if (post_password_required($single)) {
+        $lcp_content = get_the_password_form($single);
+        return $lcp_content;
+      } else {
+        // get_extended - get content split by <!--more-->
+        $lcp_extended = get_extended($single->post_content);
+        $lcp_content = $lcp_extended['main'];
+        $lcp_content = apply_filters('the_content', $lcp_content);
+        $lcp_content = str_replace(']]>', ']]&gt', $lcp_content);
+      }
 
       if ($this->params['content'] == 'full') {
         $lcp_extended_content = str_replace(
           ']]>',
-          ']]&gt', apply_filters('the_content', $lcp_extended['extended'])
+          ']]&gt',
+          apply_filters('the_content', $lcp_extended['extended'])
         );
         $lcp_content .= $lcp_extended_content;
       } else {
@@ -468,7 +478,7 @@ public function get_content($single) {
       }
       return $lcp_content;
     } else {
-        return null;
+      return null;
     }
   }
 
@@ -598,4 +608,18 @@ public function get_pagination() {
     );
     return LcpPaginator::get_instance()->get_pagination($paginator_params);
   }
+
+  // Sanitizes the statuses for post_status. Checks if current user is either editor or
+  // admininstrator. Other users can't see draft or private posts.
+  private function sanitize_status($statuses){
+    if (in_array('private', $statuses) || in_array('draft', $statuses)) {
+      if ( !( current_user_can('editor') || current_user_can('administrator')) ) {
+        $private_index = array_search('private', $statuses);
+        unset($statuses[$private_index]);
+        $draft_index = array_search('draft', $statuses);
+        unset($statuses[$draft_index]);
+      }
+    }
+    return implode(',', $statuses);
+  }
 }
diff --git a/list-category-posts.php b/list-category-posts.php
index bb74525..9c81d0a 100644
--- a/list-category-posts.php
+++ b/list-category-posts.php
@@ -3,7 +3,7 @@
   Plugin Name: List category posts
   Plugin URI: https://github.com/picandocodigo/List-Category-Posts
   Description: List Category Posts allows you to list posts by category in a post/page using the [catlist] shortcode. This shortcode accepts a category name or id, the order in which you want the posts to display, the number of posts to display and many more parameters. You can use [catlist] as many times as needed with different arguments. Usage: [catlist argument1=value1 argument2=value2].
-  Version: 0.92.0
+  Version: 0.93.0
   Author: Fernando Briano
   Author URI: http://fernandobriano.com
 
diff --git a/readme.txt b/readme.txt
index 34eb229..2b37198 100644
--- a/readme.txt
+++ b/readme.txt
@@ -3,9 +3,9 @@ Contributors: fernandobt, zymeth25
 Donate Link: http://picandocodigo.net/programacion/wordpress/list-category-posts-wordpress-plugin-english/#support
 Tags: list, categories, posts, cms
 Requires at least: 3.3
-Tested up to: 6.8.2
+Tested up to: 6.8.3
 Requires PHP: 5.6
-Stable tag: 0.92.0
+Stable tag: 0.93.0
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -243,6 +243,14 @@ Template system has changed. Custom templates should be stored in WordPress them
 
 See [CHANGELOG.md](https://github.com/picandocodigo/List-Category-Posts/blob/master/CHANGELOG.md) for full Changelog.
 
+= 0.93.0 =
+
+* Don't skip password protected filter when showing content.
+* Sanitize post_status so some posts are only shown if user is Editor or Administrator.
+* Addresses reported vulnerability: CVE-2025-11377, Authenticated (Contributor+) Information Exposure. Severity Score: 4.3 (Medium). CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. Organization: Wordfence. Vulnerability Researcher(s): Athiwat Tiprasaharn (Jitlada)
+
+This is a low risk vulnerability that could potentially be executed by an authenticated attacker, with contributor-level access and above. But it should be fixed with this version.
+
 = 0.92.0 =
 
 * Avoids potential SQL injection in `starting_with` parameter - CVE-2025-10163. This solves SQL injection and results in `starting_with` working as per the Wiki, but the previous code also allowed things like `[catlist starting_with="Hello"]` which would return posts starting with "Hello" but not just with "H". This new implementation would return both, because only the first character matters, which is ok because that's what is documented.