WP Attachment Export < 0.2.4 – Unauthenticated Posts Download | CVE 2015-20067 | Plugin Vulnerabilities

Description

The plugin does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress
powered site. This includes details of even privately published posts and password protected posts with their passwords revealed in plain text.

Proof of Concept

Download attachment details: http://localhost/wp-admin/tools.php?content=attachment&wp-attachment-export-download=true

Download Wordpress content details: http://localhost/wp-admin/tools.php?content=&wp-attachment-export-download=true

Affects Plugins

wp-attachment-export

Fixed in 0.2.4

References

CVE

URL

https://packetstormsecurity.com/files/#132693/

URL

https://seclists.org/fulldisclosure/2015/Jul/73

URL

https://github.com/espreto/wpsploit/blob/master/modules/auxiliary/scanner/http/wp_attachment_export_file_download.rb

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Nitin Venkatesh

Submitter

ethicalhack3r

Submitter twitter

Verified

Yes

WPVDB ID

d1a9ed65-baf3-4c85-b077-1f37d8c7793a

Timeline

Publicly Published

2015-07-15 (about 10 years ago)

Added

2015-07-15 (about 10 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2021-11-15

Title

Improved Include Page <= 1.2 - Contributor+ Arbitrary Posts/Pages Access

Published

2021-05-07

Title

Leads-5050 Visitor Insights < 1.1.0 - Unauthorised License Change

Published

2021-07-12

Title

Frontend File Manager < 18.3 - Unauthenticated Arbitrary Post Deletion

Published

2021-10-05

Title

WP Survey Plus <= 1.0 - Subscriber+ AJAX Calls

Published

2022-03-28

Title

Shopping Cart & eCommerce Store < 5.2.5 - Arbitrary Design Settings Update via CSRF