WordPress Plugin Vulnerabilities

CorreosExpress <= 2.6.0 - Sensitive Information Disclosure

Description

The plugin generates log files which are publicly accessible, and contain sensitive information such as sender/receiver names, phone numbers, physical and email addresses

Proof of Concept

Affects Plugins

Plugin icon
correos-express
No known fix

References

CVE
CVE-2021-25009

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
7.5 (high)

Miscellaneous

Original Researcher
José Aguilera
Submitter
José Aguilera
Submitter website
https://jsgm.dev
Verified
Yes
WPVDB ID
ce2e3503-9a06-4f5c-ae0f-f40e7dfb2903

Timeline

Publicly Published
2021-11-29 (about 4 years ago)
Added
2022-02-03 (about 3 years ago)
Last Updated
2022-04-13 (about 3 years ago)

Other

Published
Title
Published
2022-03-30
Title
Be POPIA Compliant < 1.1.6 - Unauthenticated Sensitive Information Exposure
Published
2024-10-15
Title
WP SendFox <= 1.3.1 - Unauthenticated Information Disclosure
Published
2024-06-06
Title
Otter Blocks PRO – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE < 2.6.12 - Authenticated (Subscriber+) Information Exposure
Published
2024-07-18
Title
ElementsKit Elementor addons < 3.2.1 - Unauthenticated Information Exposure via ekit_widgetarea_content Function
Published
2024-10-23
Title
Elementor Header & Footer Builder < 1.6.44 - Authenticated (Contributor+) Information Disclosure via Shortcode