19 Sep

Authenticated Information Disclosure Vulnerability in Share Drafts Publicly

The changelog entry for version 1.1.4 of Share Drafts Publicly is “Added security enhancements.”. In looking over that we found a change was made to fix a cross-site request forgery (CSRF) vulnerability that existed with AJAX functionality to share a draft of a post or page publicly. The exploitability of that is limited since an attacker that causes a draft to be shared publicly would still have to guess a 6 character secret key generated using wp_generate_password() to be able to view the draft.

With a CSRF vulnerability you cannot see the result of the request because it is being made by someone else, but the response to the request here does return the secret key needed to view the draft, so there was the potential that WordPress users that don’t have access to a draft could use the functionality to view it since the AJAX request was accessible to anyone logged in to WordPress. In version 1.1.3 we found that anyone logged in could make any draft public. In looking at the changes made in 1.1.4, we found there was no change to deal with that issue. [Read more]