Full Path Disclosure vulnerability in JM Twitter Cards reveals the location of the WordPress installation on the server


Last revised:

This plugin contains a Full Path Disclosure vulnerability (CWE-200). This allows an attacker to discover the full path to the WordPress installation on the server, which they could use to assist in other attacks.

For this to happen, the site would have to have the ‘display_errors’ option set to true.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5 Medium
Vector Network
Complexity Low
Authentication None
Confidentiality Partial
Integrity None
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Turn on display_errors

Request from a browser.

The following error message will be displayed:

Fatal error: Call to undefined function esc_html_e() in /path/to/installation/wp-content/plugins/jm-twitter-cards/views/settings.php on line 3

Advisory timeline

2015-07-29: Discovered
2015-07-30: Reported to vendor via contact form on
2015-09-17: Vendor reported fixed
2015-10-12: Published
2015-10-12: Requested CVE



Mitigation/further actions

Upgrade to version 6.2 or later.

If this is not possible, ensure that display_errors is turned off on a site running this plugin.