Export All URLs WordPress Plugin Unauthenticated Sensitive Data Exposure Vulnerability

A vulnerability in the Export All URLs WordPress plugin, affecting versions prior to 5.1, allows for unauthenticated sensitive data exposure. The plugin generates CSV files with post URLs, including those of private posts, using a predictable filename pattern that incorporates a random 6-digit number. These files are saved in the publicly accessible wp-content/uploads/ directory. This design enables any unauthenticated user to brute-force the filenames and access the sensitive data within the exported files.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive data, specifically private post URLs, which are disclosed through the exported CSV files.

Reproduction

To reproduce this vulnerability, an unauthenticated user can brute-force the CSV filenames generated by the Export All URLs WordPress plugin. This can be done by iterating through the random 6-digit number range and checking for accessible files in the wp-content/uploads/ directory. Once a file is found, it can be downloaded to access the sensitive data contained within.

Remediation

Users are advised to update the Export All URLs WordPress plugin to version 5.1 or later.