WordPress Plugin Vulnerabilities

ThemeMakers Themes - Information Disclosure

Description

Multiple themes from ThemeMaker allow remote attackers to obtain sensitive information (such as user_login, user_pass, and user_email values) via a direct request for the /wp-content/uploads/tmm_db_migrate/wp_users.dat file

Affects Plugins

Plugin icon
tmm_db_migrate
Fixed in 2.0

Affects Themes

diplomat
Fixed in 1.0.3
cardealer
Fixed in 1.1.9
accio
Fixed in 1.1.1
axioma
Fixed in 1.1.2
goodnex
Fixed in 1.1.3
GamesTheme
No known fix
blessing
Fixed in 1.3.2.1
smartit
No known fix
freely
No known fix
politican__
No known fix
style
No known fix
weddingalbum
No known fix
almera
Fixed in 1.1.8
Paradise
No known fix

References

CVE
CVE-2015-9483
URL
https://packetstormsecurity.com/files/#131957/

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
7.5 (high)

Miscellaneous

Submitter
pvdl
Verified
No
WPVDB ID
a1398b95-73c6-4e10-b871-8dd7ac45f05b

Timeline

Publicly Published
2015-05-15 (about 10 years ago)
Added
2015-05-27 (about 10 years ago)
Last Updated
2020-12-09 (about 5 years ago)

Other

Published
Title
Published
2024-03-06
Title
MasterStudy LMS WordPress Plugin – for Online Courses and Education < 3.2.11 - Basic Information Exposure via REST route
Published
2024-07-02
Title
Hide My WP Ghost < 5.2.02 - Hidden Login Page Disclosure
Published
2024-04-22
Title
HT Mega – Absolute Addons For Elementor < 2.4.8 - Missing Authorization to Information Exposure
Published
2025-01-03
Title
Post/Page Copying Tool < 2.0.1 - Unauthenticated Sensitive Information Exposure
Published
2025-12-31
Title
Post Video Players <= 1.163 - Authenticated (Contributor+) Information Exposure