Vigil@nce - WordPress: information disclosure via options-writing.php
December 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use another vulnerability of WordPress, to read
the database, in order to obtain sensitive information.
Impacted products: WordPress Core
Severity: 1/4
Creation date: 23/12/2013
DESCRIPTION OF THE VULNERABILITY
The WordPress site has a section reserved for the administrator
(/wp-admin).
However, the /wp-admin/options-writing.php page saves user’s
password in clear text in the database.
An attacker can therefore use another vulnerability of WordPress,
to read the database, in order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/WordPress-information-disclosure-via-options-writing-php-13980