Lucene search
Aleksi KistauriWPEX-ID:468D5FC7-04C6-4354-B134-85EBB25B37AEHistorySep 26, 2022 - 12:00 a.m.
Helpful < 4.5.26 - Information Disclosure
2022-09-2600:00:00
Aleksi Kistauri
289
admin export
csv files
urls
information disclosure exploit.
0.001 Low
EPSS
Percentile
40.2%
The plugin puts the exported logs and feedbacks in a publicly accessible location and guessable names, which could allow attackers to download them and retrieve sensitive information such as IP, Names and Email Address depending on the plugin’s settings
After an admin export logs (via wp-admin/admin.php?page=helpful&tab=log) or feedbacks (wp-admin/admin.php?page=helpful_feedback), the CSV files can be downloaded by simply accessing the following URLs:
https://example.com/wp-content/uploads/helpful/logs.csv
https://example.com/wp-content/uploads/helpful/feedback.csvRelated
cvelist
cvelist
CVE-2022-2834 Helpful < 4.5.26 - Information Disclosure
2022-10-17 00:00:00
osv
osv
CVE-2022-2834
2022-10-17 12:15:09
wpvulndb
wpvulndb
Helpful < 4.5.26 - Information Disclosure
2022-09-26 00:00:00
patchstack
patchstack
WordPress Helpful plugin <= 4.5.25 - Information Disclosure vulnerability
2022-09-26 00:00:00
cve
cve
CVE-2022-2834
2022-10-17 12:15:09
prion
prion
Information disclosure
2022-10-17 12:15:00
nvd
nvd
CVE-2022-2834
2022-10-17 12:15:09