The plugin exports a CSV file containing sensitive user data. The generated files are stored in a public directory with a predictable filename based on a Unix timestamp. CSV files are discoverable either through enumeration or path traversal. Export Users to CSV does not provide visibility over exported CSV files. Generated CSV files are stored indefinitely. Timeline: 2019-07-23: Vulnerability found 2019-07-23: Reported to vendor 2019-07-23: Vendor responded 2019-08-09: Reported to WordPress Plugin Review Team 2019-08-09: WordPress Plugin Review Team responded 2019-08-09: Plugin closed on the WordPress plugin repository 2019-09-19: Vendor released a fixed version (1.4) 2019-10-07: Public disclosure

First seen on:

Share This: