Lucene search
Aleksi KistauriWPVDB-ID:468D5FC7-04C6-4354-B134-85EBB25B37AEHistorySep 26, 2022 - 12:00 a.m.
Helpful < 4.5.26 - Information Disclosure
2022-09-2600:00:00
Aleksi Kistauri
wpscan.com
4
plugin
information disclosure
publicly accessible
guessable urls
csv files
ip
names
email address
software
0.001 Low
EPSS
Percentile
40.2%
The plugin puts the exported logs and feedbacks in a publicly accessible location and guessable names, which could allow attackers to download them and retrieve sensitive information such as IP, Names and Email Address depending on the plugin’s settings
PoC
After an admin export logs (via wp-admin/admin.php?page=helpful&tab;=log) or feedbacks (wp-admin/admin.php?page=helpful_feedback), the CSV files can be downloaded by simply accessing the following URLs: https://example.com/wp-content/uploads/helpful/logs.csv https://example.com/wp-content/uploads/helpful/feedback.csv
Related
osv
osv
CVE-2022-2834
2022-10-17 12:15:09
cvelist
cvelist
CVE-2022-2834 Helpful < 4.5.26 - Information Disclosure
2022-10-17 00:00:00
patchstack
patchstack
WordPress Helpful plugin <= 4.5.25 - Information Disclosure vulnerability
2022-09-26 00:00:00
cve
cve
CVE-2022-2834
2022-10-17 12:15:09
wpexploit
wpexploit
Helpful < 4.5.26 - Information Disclosure
2022-09-26 00:00:00
prion
prion
Information disclosure
2022-10-17 12:15:00
nvd
nvd
CVE-2022-2834
2022-10-17 12:15:09