WordPress Plugin Vulnerabilities

WP Slacksync < 1.8.6 - Slack Access Token Disclosure

Description

The wpslacksync leaked a Slack Access Token in source code. An attacker can obtain a lot of information about the victim's Slack (channels, members, etc.)

Affects Plugins

Plugin icon
wpslacksync
Fixed in 1.8.6

References

CVE
CVE-2019-14366
URL
https://www.wpslacksync.com/changelog/

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
7.5 (high)

Miscellaneous

Original Researcher
fs0c131y
Verified
Yes
WPVDB ID
921dc27c-814d-4ba8-8f13-cbbbe8b3b164

Timeline

Publicly Published
2019-11-12 (about 6 years ago)
Added
2021-02-23 (about 5 years ago)
Last Updated
2021-02-27 (about 5 years ago)

Other

Published
Title
Published
2025-02-17
Title
1 Click WordPress Migration Plugin – 100% FREE for a limited time < 2.3 - Unauthenticated Sensitive Information Exposure via Database Backup in class-ocm-backup.php
Published
2024-03-06
Title
MasterStudy LMS WordPress Plugin – for Online Courses and Education < 3.2.11 - Basic Information Exposure via REST route
Published
2024-01-03
Title
Constant Contact Forms < 2.4.3 - Information Disclosure via Log Files
Published
2025-04-11
Title
Developer Toolbar <= 1.0.3 - Unauthenticated Information Exposure
Published
2026-04-02
Title
HT Mega < 3.0.7 – Unauthenticated PII Disclosure