Full Path Disclosure vulnerability in JM Twitter Cards reveals the location of the WordPress installation on the server

Vulnerability

Last revised: July 30, 2015

This plugin contains a Full Path Disclosure vulnerability (CWE-200). This allows an attacker to discover the full path to the WordPress installation on the server, which they could use to assist in other attacks.

For this to happen, the site would have to have the ‘display_errors’ option set to true.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	5 Medium
Vector	Network
Complexity	Low
Authentication	None
Confidentiality	Partial
Integrity	None
Availability	None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Turn on display_errors

Request http://mydomain.com/wp-content/plugins/jm-twitter-cards/views/settings.php from a browser.

The following error message will be displayed:

Fatal error: Call to undefined function esc_html_e() in /path/to/installation/wp-content/plugins/jm-twitter-cards/views/settings.php on line 3

Advisory timeline

2015-07-29: Discovered
2015-07-30: Reported to vendor via contact form on http://www.tweetpress.fr/contact
2015-09-17: Vendor reported fixed
2015-10-12: Published
2015-10-12: Requested CVE

Mitigation/further actions

Upgrade to version 6.2 or later.

If this is not possible, ensure that display_errors is turned off on a site running this plugin.

dxw advisories

Advisory: