CVE-2014-5337

Wordpress Mobile Pack < 2.0.1 - Access Control

Title source: rule

Description

The WordPress Mobile Pack plugin before 2.0.2 for WordPress does not properly restrict access to password protected posts, which allows remote attackers to obtain sensitive information via an exportarticles action to export/content.php.

Exploits (1)

metasploit WORKING POC

by Nitin Venkatesh · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb

View Code ZIP pw:eip

References (4)

[Third Party Advisory] http://secunia.com/advisories/60584

[Patch] http://wordpress.org/plugins/wordpress-mobile-pack/changelog/

[Exploit] https://security.dxw.com/advisories/information-disclosure-vulnerability-in-wordpress-mobile-pack-allows-anybody-to-read-password-protected-posts/

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/69292

Scores

EPSS 0.5279

EPSS Percentile 98.0%

Details

CWE

CWE-264

Status published

Products (14)

wordpress_mobile_pack_project/wordpress_mobile_pack 1.2.0 (3 CPE variants)

wordpress_mobile_pack_project/wordpress_mobile_pack < 2.0.1

wpmobilepack/wordpress_mobile_pack 1.0.8223

wpmobilepack/wordpress_mobile_pack 1.1.1

wpmobilepack/wordpress_mobile_pack 1.1.2

wpmobilepack/wordpress_mobile_pack 1.1.3

wpmobilepack/wordpress_mobile_pack 1.1.9

wpmobilepack/wordpress_mobile_pack 1.1.91

wpmobilepack/wordpress_mobile_pack 1.1.92

wpmobilepack/wordpress_mobile_pack 1.2.1

... and 4 more

Published Aug 29, 2014

Tracked Since Feb 18, 2026