Technical Insight-Vulnerabilities-Web Application Security

Information Leakage in WordPress

WordPress suffers from a fairly minor flaw that may be used by attackers without much difficulty. WordPress flaws have been numerous over the years – everything from command injection or SQL injection to XSS and CSRF. One of my favorite issues has always been information leakage because it’s the one that’s always marked as low severity and that no one ever takes seriously. That said, it’s still an exploit that could be disastrous in some circumstances.

WordPress has an upload process for media that is separate from the blog posting process. As such they aren’t governed by the same rules concerning authorization. Once something is uploaded as media it is instantly visible on the site, regardless of whether the blog post has been posted yet or not.

Additionally, the URLs used by the blog are extremely easy to brute force because they are always larger than the last attachment_id by some amount. The actual number is based on how many posts are in the database and not just on media, so it does take a tiny bit of work to know when to stop looking. But the URLs are consistently like this:





Now you’re asking yourself, so what? The problem is that because the timing between the media and the blog post isn’t identical you can end up in a race condition with the content. For instance, let’s say you run a publicly traded company and you are about to release your earnings report on your blog. You may upload a PDF of the earnings report a day or multiple days in advance to make sure everything is perfect and ready to go when you announce. In this case the adversary can guess the URL for the PDF of your earnings report and download it potentially days in advance. This would allow them to trade in advance of your company’s earning reports.

Another example is where a blog post is internally contentious and needs a lot of editing. It may take months for a big company to decide that a post is ready to go. But in that timeframe an attacker may identify the cited uploaded media – images, movies, PDF documents, Word documents, Excel spreadsheets, HTML and so on. This can give an adversary a great deal of information before you’re ready to disclose it. This can be used for anti-competitive practices, or simply to predict the features of the next gadget your company is producing.

So yes, minor issue, but definitely one to be aware of if you use WordPress.

  • Space Rogue

    Not new but nice to seen written up formally. Also this is what Weev, aka Rabite, aka Andrew Aurnhiemer went to jail for.

    – SR

  • greggles

    Did you consider reporting this to

    Media attached to an unpublished post should be private, so this seems like an access bypass.

  • nacin

    If you upload a file to an unpublished post, ?attachment_id=123 will only work if you are logged in and have the ability to edit that post. Otherwise, you’ll get a 404.

    Very simply, ?attachment_id=123 is not something you can use to look for attachments stuck in limbo while their parent posts remain private. It just doesn’t work.

    WordPress has taken care to avoid the outward appearance that files are private. For example, WordPress does not have a built-in “private site” feature specifically because it simply cannot guarantee the privacy of uploads. And while WordPress allows posts or pages to be added to a “trash” bin, it doesn’t allow the same for media files, as it might suggest to the user that a file that is “trashed” cannot be accessed, which is not the case.

    Yes, when files are uploaded using WordPress (a publishing platform, after all), they are public via direct URLs. WordPress does not serve files; it leaves that to the web server. Even if WordPress wanted to, it wouldn’t always be feasible on many shared hosts or other setups, not to mention an increase in necessary resources. But WordPress does not make it quite as easy to enumerate through them as claimed here. And for users and sites who need them, there are numerous plugins offering a range of features, from private uploads to complex document management.

    Thanks for using WordPress here, guys. 🙂

  • Zahid Habib

    Is there any fix of it?

  • http://facebook.comAnthony.Hinnant Anthony D Hinnant

    Password Cracking AES-256 DMGs and Epic Self-Pwnage ……‎Cached

    SimilarFeb 7, 2013 – FileVault is a full disk encryption feature utilizing XTS-AES 128 crypto. … What is possible is law enforcement, or a robber, forcibly stopping me and … As they begin to snoop around, image the drive, run forensics, etc., they ….. Hey have you ever put that border crossing reason for encryption to the test?