WP Attachment Export < 0.2.4 – Unauthenticated Posts Download | CVE 2015-20067 | Plugin Vulnerabilities

Description

The plugin does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress
powered site. This includes details of even privately published posts and password protected posts with their passwords revealed in plain text.

Proof of Concept

Download attachment details: http://localhost/wp-admin/tools.php?content=attachment&wp-attachment-export-download=true

Download Wordpress content details: http://localhost/wp-admin/tools.php?content=&wp-attachment-export-download=true

Affects Plugins

wp-attachment-export

Fixed in 0.2.4

References

CVE

URL

https://packetstormsecurity.com/files/#132693/

URL

https://seclists.org/fulldisclosure/2015/Jul/73

URL

https://github.com/espreto/wpsploit/blob/master/modules/auxiliary/scanner/http/wp_attachment_export_file_download.rb

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Nitin Venkatesh

Submitter

ethicalhack3r

Submitter twitter

Verified

Yes

WPVDB ID

d1a9ed65-baf3-4c85-b077-1f37d8c7793a

Timeline

Publicly Published

2015-07-15 (about 8 years ago)

Added

2015-07-15 (about 8 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2021-09-20

Title

WP Import Export Lite < 3.9.5 - Subscriber+ Arbitrary Blog Options Update

Published

2021-10-20

Title

Sassy Social Share 3.3.23 - Missing Access Controls to PHP Object Injection

Published

2021-10-20

Title

Responsive Image Slider, Photo Gallery And Carousel < 1.3.6 - Subscriber+ Arbitrary Post Access

Published

2024-02-21

Title

Maintenance Page < 1.0.9 - Security Mechanism Bypass via REST API

Published

2021-08-23

Title

Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Update