Access Control Flaw in Ghost Plugin for WordPress
CVE-2016-10983

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Ghost
Vendor: CVE Published:; 17 September 2019

Summary

The Ghost plugin for WordPress, prior to version 0.5.6, is affected by an access control vulnerability that allows unauthorized users to export sensitive data through the endpoint /wp-admin/tools.php?ghostexport=true. This flaw poses significant risks as it may lead to the exposure of confidential information without proper authentication, highlighting the need for prompt updates and adherence to security best practices.

References

https://wordpress.org/plugins/ghost/#developers

x_refsource_MISC

https://packetstormsecurity.com/files/136887/

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 17, 2019
Vulnerability Reserved
Sep 17, 2019