TNC Toolbox Web Performance WordPress Plugin Sensitive Information Exposure Vulnerability
Vulnerability
A vulnerability allowing sensitive information exposure has been identified in the TNC Toolbox: Web Performance plugin for WordPress, affecting all versions through 1.4.2. The issue arises because the plugin improperly stores cPanel API credentials, including hostname, username, and API key, in files within the publicly accessible wp-content directory. This storage method lacks adequate protection, particularly in the 'Tnc_Wp_Toolbox_Settings::save_settings' function'. As a result, unauthenticated attackers can access these credentials and use them to interact with the cPanel API, potentially leading to arbitrary file uploads, remote code execution, and a complete compromise of the hosting environment.
Impact
Exploitation of this vulnerability allows for unauthorized access to sensitive cPanel API credentials, which can be misused to upload files, execute code remotely, and fully compromise the hosting environment.
Remediation
Users are advised to update the TNC Toolbox: Web Performance plugin to version 2.0.0 or a newer patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.