CorreosExpress <= 2.6.0 – Sensitive Information Disclosure | CVE 2021-25009 | Plugin Vulnerabilities

Description

The plugin generates log files which are publicly accessible, and contain sensitive information such as sender/receiver names, phone numbers, physical and email addresses

Proof of Concept

https://example.com/wp-content/plugins/correos-express/log/log_cron_function.txt
https://example.com/wp-content/plugins/correos-express/log/log_ordenes.txt
https://example.com/wp-content/plugins/correos-express/log/log_rest.txt

Affects Plugins

correos-express

No known fix

References

CVE

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

José Aguilera

Submitter

José Aguilera

Submitter website

https://jsgm.dev

Verified

Yes

WPVDB ID

ce2e3503-9a06-4f5c-ae0f-f40e7dfb2903

Timeline

Publicly Published

2021-11-29 (about 2 years ago)

Added

2022-02-03 (about 2 years ago)

Last Updated

2022-04-13 (about 2 years ago)

Other

Published

Title

Published

2023-11-21

Title

UserPro < 5.1.2 - Sensitive Information Disclosure via Shortcode

Published

2021-02-16

Title

Ninja Forms < 3.4.34.1 - Authenticated OAuth Connection Key Disclosure

Published

2024-04-16

Title

Content Control < 2.2.0 - Missing Authorization to Sensitive Information Exposure

Published

2024-05-03

Title

SEOPress < 7.7 - Information Exposure

Published

2022-02-14

Title

Video Conferencing with Zoom < 3.8.17 - E-mail Address Disclosure