CVE-2015-20067
📋 TL;DR
The WP Attachment Export WordPress plugin before version 0.2.4 lacks proper access controls, allowing unauthenticated users to download XML data containing all attachment and post details from WordPress sites. This affects any WordPress installation using vulnerable versions of this plugin.
💻 Affected Systems
- WP Attachment Export WordPress Plugin
📦 What is this software?
Wp Attachment Export by Wp Attachment Export Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exfiltrate all site content including private posts, media files, and metadata, potentially leading to data breaches, content theft, or reconnaissance for further attacks.
Likely Case
Unauthenticated attackers download the site's XML export file containing post titles, content, attachment URLs, and metadata, exposing potentially sensitive information.
If Mitigated
With proper access controls, only authorized administrators can export site data, preventing unauthorized data access.
🎯 Exploit Status
Exploit tools like wpsploit include modules for this vulnerability, making exploitation trivial for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.2.4
Vendor Advisory: https://wpscan.com/vulnerability/d1a9ed65-baf3-4c85-b077-1f37d8c7793a
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Go to Plugins → Installed Plugins
3. Find 'WP Attachment Export'
4. Click 'Update Now' if update is available
5. If no update appears, manually update to version 0.2.4 or later
6. Verify plugin is updated to at least version 0.2.4
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the WP Attachment Export plugin until it can be updated
wp plugin deactivate wp-attachment-export
Restrict access via web server
allBlock access to the plugin's export functionality using web server rules
# Apache: RewriteRule ^wp-content/plugins/wp-attachment-export/.*\.php$ - [F,L]
# Nginx: location ~ ^/wp-content/plugins/wp-attachment-export/ { deny all; }
🧯 If You Can't Patch
- Remove the WP Attachment Export plugin completely from the WordPress installation
- Implement network-level restrictions to block external access to the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check if the plugin is installed and its version is below 0.2.4 via WordPress admin panel or by examining the plugin directoryCheck Version:
wp plugin get wp-attachment-export --field=versionVerify Fix Applied:
Confirm plugin version is 0.2.4 or higher in WordPress admin or by checking the plugin's main PHP file📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests to /wp-content/plugins/wp-attachment-export/export.php or similar plugin endpoints from unauthenticated IPs
- Large XML file downloads from plugin directory
Network Indicators:
- Unusual spikes in traffic to plugin export endpoints
- XML data transfers from WordPress sites to external IPs
SIEM Query:
source="web_server_logs" AND (uri="/wp-content/plugins/wp-attachment-export/export.php" OR uri CONTAINS "wp-attachment-export") AND status=200 AND user_agent NOT CONTAINS "admin"🔗 References
- https://github.com/espreto/wpsploit/blob/master/modules/auxiliary/scanner/http/wp_attachment_export_file_download.rb
- https://seclists.org/fulldisclosure/2015/Jul/73
- https://wpscan.com/vulnerability/d1a9ed65-baf3-4c85-b077-1f37d8c7793a
- https://github.com/espreto/wpsploit/blob/master/modules/auxiliary/scanner/http/wp_attachment_export_file_download.rb
- https://seclists.org/fulldisclosure/2015/Jul/73
- https://wpscan.com/vulnerability/d1a9ed65-baf3-4c85-b077-1f37d8c7793a
