05 Jul

Authenticated Information Disclosure Vulnerability in Log Emails

Recently we took a quick look over plugins that log emails sent through WordPress. Those emails have the potential to contain sensitive information, so the security of them is important. In two cases we found that the plugin allowed any logged in user to view emails logged by the plugin. In the case of the Log Emails plugin we found that issue went further than the other plugin, as it not only allowed you to view logged emails, but also to view any thing else stored as a post. That includes not only posts, but also pages, and any content that a plugin might store in that way, things like logged emails from this plugin.

[Read more]