ListingPro < 2.6.1 - Unauthenticated Sensitive Data Disclosure (Usernames, Emails etc)

Description

Unauthenticated users could gain access to sensitive data, such as usernames, full names, email addresses and in some case phone numbers by sending a request to  /wp-admin/index.php?download-lp-users=yes which is registered to the init hook

Affects Themes

listingpro

Fixed in version 2.6.1✓

References

URL

https://blog.nintechnet.com/wordpress-listingpro-theme-fixed-a-critical-vulnerability/

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CWE-200

Miscellaneous

Original Researcher

Jerome Bruandet (nintechnet)

Verified

WPVDB ID

096e6e16-c14d-42da-8ba3-c271db3385a4

Timeline

Publicly Published

2020-12-17 (about 9 months ago)

Added

2020-12-17 (about 9 months ago)

Last Updated

2020-12-18 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin