When it comes to areas where there is lot of room for better security in WordPress plugins, two that come to mind are the security of plugins that handle business related task and the security of personal information stored in plugins. Those came together in a vulnerability we happened to run run across in the plugin UpiCRM while looking into the possibility of a different vulnerability.
The plugin features the ability export lead information (names, email addresses, phone numbers, etc) to a file. When that occurs the file is saved to the directory /wp-content/uploads/upicrm/ with the name leads.csv or leads.xlsx depending on the format requested. Access to files in the directory is not restricted, so anyone can later request the files at that location and will be served them if an export was previously done that generated them.
We contacted the developer of the plugin about the issue a week ago, but we have not heard back from them and the vulnerability has yet to be fixed.
Proof of Concept
- Visit the Exports page and click “Export all leads data to Excel”.
- Log out of WordPress.
- Now when requesting the URL http://[path to WordPress]/wp-content/uploads/upicrm/leads.xlsx (make sure to replace “[path to WordPress]” with the location of WordPress) you will be served the export.
- June 19, 2017 – Developer notified.