Themes Vulnerabilities

ListingPro < 2.6.1 - Unauthenticated Sensitive Data Disclosure (Usernames, Emails etc)

Description

Unauthenticated users could gain access to sensitive data, such as usernames, full names, email addresses and in some case phone numbers by sending a request to /wp-admin/index.php?download-lp-users=yes which is registered to the init hook

Affects Themes

listingpro
Fixed in 2.6.1

References

CVE
CVE-2020-36723
URL
https://blog.nintechnet.com/wordpress-listingpro-theme-fixed-a-critical-vulnerability/

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Jerome Bruandet (nintechnet)
Verified
No
WPVDB ID
096e6e16-c14d-42da-8ba3-c271db3385a4

Timeline

Publicly Published
2020-12-17 (about 2 years ago)
Added
2020-12-17 (about 2 years ago)
Last Updated
2023-06-08 (about 5 months ago)

Other

Published
Title
Published
2020-12-07
Title
Easy WP SMTP < 1.4.3 - Debug Log Disclosure
Published
2022-12-27
Title
All In One WP Security & Firewall < 5.1.3 - Configuration Leak
Published
2023-09-25
Title
WP Job Openings < 3.4.3 - Sensitive Data Exposure via Directory Listing
Published
2023-06-26
Title
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor < 3.8.0 - Sensitive Data Disclosure
Published
2021-02-23
Title
Web-Stat < 1.4.1 - API Key Disclosure