WP Security Audit Log Plugin, Sensitive Information Disclosure

vendor:

WP Security Audit Log Plugin

by:

Colette Chamberland, Defiant, Inc.

5.3

CVSS

MEDIUM

Sensitive Information Disclosure

Unknown

CWE

Product Name: WP Security Audit Log Plugin

Affected Version From: Unknown

Affected Version To: <=3.1.1

Patch Exists: NO

Related CWE: CVE-2018-8719

CPE: Unknown

Metasploit:

Other Scripts:

Tags: cve2018,exposure,edb,wordpress,wp-plugin,cve

CVSS Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Nuclei References: https://www.exploit-db.com/exploits/44371, https://vuldb.com/?id.115817, https://www.exploit-db.com/exploits/44371/, https://nvd.nist.gov/vuln/detail/CVE-2018-8719

Nuclei Metadata: {'max-request': 1, 'framework': 'wordpress', 'vendor': 'wpsecurityauditlog', 'product': 'wp_security_audit_log'}

Platforms Tested: Wordpress 4.9.x

2018

WP Security Audit Log Plugin, Sensitive Information Disclosure <= 3.1.1

No protection on the wp-content/uploads/wp-security-audit-log/* which is indexed by google and allows for attackers to possibly find user information (bad login attempts)

Mitigation:

Unknown

Source

Exploit-DB raw data:

# Exploit Title: WP Security Audit Log Plugin, Sensitive Information Disclosure <= 3.1.1 
# Google Dork: inurl:/wp-content/uploads/wp-security-audit-log/
# Date: 3/13/2018
# Exploit Author: Colette Chamberland, Defiant, Inc.
# Vendor Homepage: http://wpwhitesecurity.com
# Software Link: https://wordpress.org/plugins/wp-security-audit-log/
# Version: <=3.1.1
# Tested on: Wordpress 4.9.x
# CVE : CVE-2018-8719

Description:
No protection on the wp-content/uploads/wp-security-audit-log/*
which is indexed by google and allows for attackers to possibly find user information (bad login attempts)

/wp-security-audit-log/classes/Sensors/System.php':
$upload_dir = wp_upload_dir();
$uploads_dir_path = trailingslashit( $upload_dir['basedir'] ) . 'wp-security-audit-log/404s/users/';
$uploads_url = trailingslashit( $upload_dir['baseurl'] ) . 'wp-security-audit-log/404s/users/';

/wp-security-audit-log/classes/Sensors/LogInOut.php':
// Directory for logged in users log files.
		$user_upload_dir    = wp_upload_dir();
		$user_upload_path   = trailingslashit( $user_upload_dir['basedir'] . '/wp-security-audit-log/failed-logins/' );
		if ( ! $this->CheckDirectory( $user_upload_path ) ) {
			wp_mkdir_p( $user_upload_path );
		}