WordPress Plugin Vulnerabilities

Export Users to CSV < 1.4 - Unauthorised CSV Access

Description

The plugin exports a CSV file containing sensitive user data.

The generated files are stored in a public directory with a predictable filename based on a Unix timestamp. CSV files are discoverable either through enumeration or path traversal.

Export Users to CSV does not provide visibility over exported CSV files. Generated CSV files are stored indefinitely.

Timeline:

2019-07-23: Vulnerability found
2019-07-23: Reported to vendor
2019-07-23: Vendor responded
2019-08-09: Reported to WordPress Plugin Review Team
2019-08-09: WordPress Plugin Review Team responded
2019-08-09: Plugin closed on the WordPress plugin repository
2019-09-19: Vendor released a fixed version (1.4)
2019-10-07: Public disclosure

Affects Plugins

Plugin icon
export-users
Fixed in 1.4

References

URL
https://plugins.trac.wordpress.org/changeset/2159451/export-users/trunk

Miscellaneous

Original Researcher
Phil Wylie
Submitter
Phil Wylie
Submitter website
https://www.philwylie.co.uk/
Submitter twitter
mustardbees
Verified
No
WPVDB ID
77e93594-0ed2-442c-8294-50a27a8eb434

Timeline

Publicly Published
2019-10-07 (about 6 years ago)
Added
2019-10-07 (about 6 years ago)
Last Updated
2019-10-07 (about 6 years ago)

Other

Published
Title
Published
2019-06-22
Title
Import users from CSV with meta < 1.14.2.2 - CSRF leading to attachment deletion & Path Traversal
Published
2019-06-07
Title
ConvertPlus <= 3.4.4 - Multiple Issues
Published
2016-05-18
Title
Fluid Responsive Slideshow <= 2.2.6 - CSRF & XSS
Published
2019-11-13
Title
Email Subscribers & Newsletters < 4.2.3 - Multiple Issues
Published
2014-08-01
Title
Mingle Forum <= 1.0.26 - Multiple Vulnerabilities