HAX Open-Apis Unauthenticated Information Disclosure Vulnerability in WordPress via haxPsuUsage API Endpoint

A vulnerability allowing unauthenticated information disclosure exists in the Penn State University deployment of the HAX content management system. This issue is present in open-apis versions through 10.0.2, specifically within the 'haxPsuUsage' API endpoint. The vulnerability allows any remote unauthenticated user to access a complete list of PSU websites hosted on HAX CMS. This information disclosure could be exploited in conjunction with other authorization vulnerabilities to facilitate targeted attacks, such as unauthorized modification or deletion of content.

Impact

Exploitation of this vulnerability allows for unauthorized access to a list of all PSU HAX CMS websites, which could lead to further attacks on the content or integrity of those sites. When combined with other authorization issues, it could enable unauthorized users to modify or delete content on the HAX CMS.

Reproduction

To reproduce this vulnerability, send a GET request to the 'haxPsuUsage' API endpoint. This can be done using a terminal or browser. The endpoint will respond with a list of all PSU websites hosted on the HAX CMS, without requiring any authentication or authorization.

Remediation

Users can update to the version of open-apis released after June 2, 2025, which addresses this vulnerability.