Export Users to CSV < 1.4 - Unauthorised CSV Access



Description
The plugin exports a CSV file containing sensitive user data.

The generated files are stored in a public directory with a predictable filename based on a Unix timestamp. CSV files are discoverable either through enumeration or path traversal.

Export Users to CSV does not provide visibility over exported CSV files. Generated CSV files are stored indefinitely.

Timeline:

2019-07-23: Vulnerability found
2019-07-23: Reported to vendor
2019-07-23: Vendor responded
2019-08-09: Reported to WordPress Plugin Review Team
2019-08-09: WordPress Plugin Review Team responded
2019-08-09: Plugin closed on the WordPress plugin repository
2019-09-19: Vendor released a fixed version (1.4)
2019-10-07: Public disclosure

Affects Plugin

fixed in version 1.4

References

URL https://plugins.trac.wordpress.org/changeset/2159451/export-users/trunk

Classification

Type MULTI

Miscellaneous

Original Researcher Phil Wylie
Submitter Phil Wylie
Submitter Website https://www.philwylie.co.uk/
Submitter Twitter mustardbees
Views 2298
Verified No
WPVDB ID 9897

Timeline

Publicly Published 2019-10-07 (14 days ago)
Added 2019-10-07 (14 days ago)
Last Updated 2019-10-07 (14 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin