Huge Security Leak Bug | ww.wp.xz.cn

Resolved nasdie
(@nasdie)

5 years, 4 months ago

So basically, the debug log and config files could be downloaded by anyone, even if they are not logged in as admin.

This is a huge security concern as if anyone can download these files, they can gain access to your Cloudflare sensitive information. The plugin should not allow downloading these files if you are not logged in as admin.

To test it, simply add /wp-admin/?swcfpc_export_config=1 to the end of your website URL and open it in an incognito window. You will see that the file will be downloaded with all your Cloudflare account details + CFSPC plugin config.

Looking forward to the fix ASAP!

Viewing 2 replies - 1 through 2 (of 2 total)

Plugin Contributor Salvatore Fresta
(@salvatorefresta)

5 years, 4 months ago

Hi @nasdie ,
thank you! I already release the fix on 4.4.1 version!

Thread Starter nasdie
(@nasdie)

5 years, 4 months ago

Glad to hear!

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Huge Security Leak Bug’ is closed to new replies.

2 replies
2 participants
Last reply from: nasdie
Last activity: 5 years, 4 months ago
Status: resolved