Information disclosure, also known as data breach is the unintentional exposure of sensitive information. This sensitive information can be anything from technical information such as plugin versions or hosting plan limits, to users information that should not be made public.
Information disclosure is not a hack but allows an attacker to obtain sensitive information that may help in launching further attacks.. It usually occurs as a result of a misconfiguration or a defect in the WordPress plugin that allows information to be released.
Sensitive information that can be disclosed
Sensitive information that can be unintentionally disclosed and lead to exploits:
| backup files | Complete file backups can be exposed due to improper file permissions or storing them in the same folder as the website |
| database connection details | Leftover configuration files such a copy of wp-config file named wp-config.php.old will contain sensitive information |
| user data | User information such as email addresses, passwords or even credit card numbers can be exposed in database dumps |
| private files | Private files such as digital products in your WooCommerce store can still be publicly accessible due to improper file or folder permissions |
| wordpress info | Number of WP users, posts, media files, and even IP addresses can be exposed using WP REST API |
| server information | in error messages due to WP_DEBUG option left on |
Example: BulletProof plugin vulnerability
🚨 CVE-2021-39327 BulletProof Security WordPress plugin =<5.1 is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible files in which paths to database backup files is stored:
/wp-content/plugins/bulletproof-security/admin/htaccess/db_backup_log.txt
/wp-content/bps-backup/logs/db_backup_log.txt
Example: OptinMonster plugin vulnerability
🚨 CVE-2021-39341 The OptinMonster WordPress plugin =<2.6.4 is vulnerable to sensitive information disclosure via WP REST API which affected over 1M of WordPress websites.
The following URL is publicly accessible and reveals sensitive data like the site’s full path on the server, along with the API key needed to make requests on the OptinMonster site.
/wp-json/omapp/v1/support
⚠️ Check if your website is vulnerable
Here are some simple methods to check if your WordPress website is vulnerable to information disclosure:
REST API
The simplest method to check if your WordPress website is vulnerable to information disclosure is to add /wp-json/wp/v2/users to the URL link:
If the website is vulnerable to information disclosure usign WP REST API then it will display all WordPress users:
WPScan
WPScan is a tool that examines your site in the same way most attackers do: It enumerates details and checks them against its database of vulnerabilities and exploits.
After you’ve installed WPScan and registered to use their API, you can use your unique API token into a scan in order to access WPScan Vulnerability Database API:
wpscan --url yourwebsite.com -e vp --api-token YOUR_TOKEN
If you don’t have access to the terminal then you can use an online security scanner WPSEC.com that uses the same vulnerabilities database but offers less information in the free plan.
Fuzzing
Another common method for an attacker to try to on sensitive information is a technique named Fuzzing, where semi-randomized data is sent to the website in the hope to uncover bugs or leftover files.
For example, a fuzzer can be configured to send multiple HTTP requests trying different URLs in the hope of uncovering a leftover backup file. In such a scenario, requests may look something like this:
https://www.example.com/wp-config.old
https://www.example.com/wp-config.php.old
https://www.example.com/wp-config.bak
https://www.example.com/wp-config.php.back
https://www.example.com/wp-config.txt
https://www.example.com/wp-config.zip
Fuzzing can identify misconfigurations and leftover files, which can give attackers the information they need to find a way into your WordPress website.
A command-line-based tool called ffuf can be used along with a wordlist (a list of file names and file paths collected in plain text) to scan your website for such files:
Google Dorking
Another simple solution to check if sensitive files are publicly available on your website is to search for them on Google.
#1 example: the following query will search only Google indexed pages of website wpxss.com that contain exactly matching word or filename containing .zip
site:wpxss.com “.zip”
#2 example: search Google for websites that have files named wp-config.php.bak
intitle:”index of” “wp-config.php.bak”
How to protect WordPress from information disclosure
As always, update all WordPress plugins and themes that you are using, don’t use nulled/cracked plugins and choose a stable hosting provider.
Use reputable plugins and themes
Bugs in the code can potentially lead to the disclosure of sensitive information. Using reputable WordPress plugins and themes from WordPress.org or CodeCanyon.net ensures that the plugin has been thoroughly tested before being launched.
Detailed plugin guidelines for a plugin to be published on WordPress.org plugn repository are listed here.
WordPress plugin requirements that a plugin has to satisfy in order to be listed on the Envato Marketplace can be viewed here.
While no software is perfect, and some bugs may still exist, it significantly reduces the danger from information disclosure.
Use WordPress Security plugins
Aldo WP REST API can expose a lot of information, a lot of services and plugins such as jetpack or Gutenberg editor depend on it, so I don’t recommend disabling it completely but rather just limiting it’s usage.
WordPress plugin iThemes Security can restrict REST API to logged-in users only:
You can also disable WP REST API or limit it to localhost or logged-in users only directly inside .htaccess file without using a plugin.
Use trusted Hosting provider
Hosting providers such as GoDaddy offer great pricing on their WordPress managed hosting plans but due to the number of websites they are hosting, their servers are often targeted and multiple data breaches have already occurred in the past: GoDaddy Discloses Security Breach; Data of 1.2 Mn WordPress Users Exposed
While using a big hosting provider has it’s up sides, I don’t recommend hosting all your websites with the same provider. Here is a list of WordPress blog hosting compared ✍️
