Database Toolset WordPress Plugin Sensitive Information Exposure Vulnerability

A vulnerability allowing sensitive information exposure has been identified in the Database Toolset plugin for WordPress, affecting all versions through 1.8.4. The issue arises from database backup files being stored in a publicly accessible directory without authentication, allowing unauthenticated attackers to download these files and access sensitive data. The vulnerability is compounded by the presence of an index file, which could facilitate a brute force attack to discover and exploit the issue.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive database information, including user data and password hashes, which could be used to compromise WordPress admin accounts and take over entire websites.

Reproduction

The vulnerability can be reproduced by accessing the publicly available backup files stored in the '/wp-content/uploads/export/database/' directory. This can be done by manually entering the URL of a known backup file or by successfully brute-forcing the file names, which are generated with a predictable format that includes the database name, timestamp, and a random number.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and find a replacement.