WP Attachment Export < 0.2.4 – Unauthenticated Posts Download | CVE 2015-20067 | Plugin Vulnerabilities

Description

The plugin does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress
powered site. This includes details of even privately published posts and password protected posts with their passwords revealed in plain text.

Proof of Concept

Download attachment details: http://localhost/wp-admin/tools.php?content=attachment&wp-attachment-export-download=true

Download Wordpress content details: http://localhost/wp-admin/tools.php?content=&wp-attachment-export-download=true

Affects Plugins

wp-attachment-export

Fixed in 0.2.4

References

CVE

URL

https://packetstormsecurity.com/files/#132693/

URL

https://seclists.org/fulldisclosure/2015/Jul/73

URL

https://github.com/espreto/wpsploit/blob/master/modules/auxiliary/scanner/http/wp_attachment_export_file_download.rb

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Nitin Venkatesh

Submitter

ethicalhack3r

Submitter twitter

Verified

Yes

WPVDB ID

d1a9ed65-baf3-4c85-b077-1f37d8c7793a

Timeline

Publicly Published

2015-07-15 (about 10 years ago)

Added

2015-07-15 (about 10 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2024-02-16

Title

Paid Memberships Pro < 2.12.9 - Contributor+ Arbitrary User Custom Field Disclosure

Published

2021-05-26

Title

Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Unauthenticated Redirect Export

Published

2021-11-03

Title

Event Manager for WooCommerce < 3.5.3 - Unauthenticated Arbitrary Elementor Template Import

Published

2024-11-20

Title

Tutor LMS < 2.7.7 - User Registration Setting Bypass to Unauthorized User Registration

Published

2024-04-08

Title

GamiPress < 6.8.9 - Broken Access Control