wpo-plugins-tables-list.json WordPress enumeration

  • Resolved dev

    (@devksec)


    5 years, 4 months ago

    Hello,

    So we’ve been looking into “wpo-plugins-tables-list.json”. It contains a non-sensitive plugin list, it is publicly accessible via the uploads folder.

    https://ww.wp.xz.cn/support/topic/security-issue-111/

    While the content isn’t so much of an issue, it can be used to enumerate wordpress websites that use this plugin (If insecurely configured from search engines).

    https://www.google.co.uk/search?q=wpo-plugins-tables-list.json

    This poses an informational risk issue and would like a resolution.

    Could this file not be kept within the plugin folder or is there a workaround to stop it being publically accessible going forward?

    Many thanks

Viewing 2 replies - 1 through 2 (of 2 total)
  • Marc Lacroix

    (@marcusig)

    5 years, 4 months ago

    Hi there,

    Thanks for your message.
    We’ll look at what to do. Though searching for a readme file will also give a similar result: https://www.google.co.uk/search?q=wp-content/plugins/wp-optimize/readme.txt and every single plugin on the repository has it.

    Most plugins are easy enough to detect, and if someone finds a security hole in WP-Optimize (or anything else), they’ll probably just try to exploit it, as finding out if the plugin is installed is redundant with trying the exploit straight away.

    Could this file not be kept within the plugin folder

    This file can be updated independently from the rest of the plugin, and the only place with consistent writing rights is the uploads folder.

    Kind regards,
    Marc

    8masterov

    (@8masterov)

    4 years, 11 months ago

    а его удалять можно? вреда сайту не будет?

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘wpo-plugins-tables-list.json WordPress enumeration’ is closed to new replies.