WP Discourse Plugin Information Exposure Vulnerability

A vulnerability allowing information exposure has been identified in the WP Discourse plugin for WordPress, affecting all versions through 2.5.9. The issue arises because the plugin automatically sends Discourse API credentials, including the Api-Key and Api-Username, to any host specified in a post's discourse_permalink custom field during comment synchronization. This behavior enables authenticated attackers with author-level access or higher to exfiltrate sensitive Discourse API credentials to servers under their control, potentially allowing further exploitation by querying internal services or conducting additional attacks.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive Discourse API credentials, which could be misused to interact with Discourse on behalf of the user or to access protected resources.

Reproduction

To reproduce this vulnerability, an authenticated user with author-level access or higher can create a post and include a Discourse permalink in the custom field. When the post is synchronized with Discourse comments, the API credentials will be sent to the specified host, exposing the sensitive information.

Remediation

Users are advised to update the WP Discourse plugin to version 2.6.0 or later, where this vulnerability has been patched.