WordPress Plugin Vulnerabilities

All In One WP Security & Firewall < 5.1.3 - Configuration Leak

Description

The plugin leaked settings of the plugin publicly, including the used email address.

Proof of Concept

Config leak in previous versions: "aiowps_remove_wp_generator_meta_info" filetype:txt

https://www.google.com/search?q=%22aiowps_remove_wp_generator_meta_info%22+filetype%3Atxt

Search for aiowps_email_address

Affects Plugins

Plugin icon
all-in-one-wp-security-and-firewall
Fixed in 5.1.3

References

CVE
CVE-2022-4346

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
cc05f760-983d-4dc1-afbb-6b4965aa8abe

Timeline

Publicly Published
2022-12-27 (about 1 years ago)
Added
2022-12-27 (about 1 years ago)
Last Updated
2022-12-27 (about 1 years ago)

Other

Published
Title
Published
2024-04-29
Title
Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.7.8 - Sensitive Information Exposure
Published
2023-11-14
Title
EWWW Image Optimizer < 7.2.1 - Unauthenticated Sensitive Information Exposure via Debug Log
Published
2024-01-10
Title
WPS Hide Login < 1.9.12 - Hidden Login Page Location Disclosure
Published
2024-01-03
Title
Constant Contact Forms < 2.4.3 - Information Disclosure via Log Files
Published
2023-12-27
Title
eCommerce Product Catalog < 3.3.27 - Sensitive Information Exposure via CSV Files