Wordpress Misconfiguration Lead to User Files Disclosure ($$$)

Hello again in bug hunt story. I’m part time bug hunter, so in my spare time I take a look in some program in but bounty program. I try to hunt in new program with the scope is a website. I look the website is a Wordpress CMS, then I open wordpress cheatsheet pentesting.

During my hunting, I analyst some interesting wordpress endpoints. Do you know Wordpress REST API?

GET /wp-json/wp/v2/*

There is several points about my analysis:

• I can’t access the endpoints when unauthenticated, “Only authenticated users can access the REST API”.
• The website have public registration.
• The website have upload feature from public contact form.

So, I think the attack scenario has complete.

Attacker Scenario

I discovered that the GET /wp-json/wp/v2/media endpoint exposed a complete list of uploaded files from all users. This endpoint, accessible without proper authentication or authorization, allows an attacker to view and download sensitive files.

This vulnerability enables an attacker to download all confidential or sensitive files uploaded by users of the website. These files, which should be restricted to authorized users, become publicly accessible, posing a serious security risk.

Steps to Reproduce

1. Attacker discover REST API Endpoint of Media Uploaded Files, but only authenticated user can access.

REST API Access Denied

2. Attacker try to upload a test file via the https://redacted.com/contact page.

3. Then, attacker try to public registration.

4. Using cookie from registration account, then try access the following endpoint

GET /wp-json/wp/v2/media

5. Observe that the API response contains a list of uploaded files, including URLs that allow direct downloads.

REST API Access Granted

6. Verify that these direct link files can be accessed without authentication, meaning an attacker could retrieve and download all uploaded documents.

Lesson Learned for Developer

Secure API Endpoints with Proper Authentication & Authorization

• Restrict access to the GET /wp-json/wp/v2/media endpoint by requiring proper authentication and authorization.
• Implement role-based access control (RBAC) to ensure that only authorized users can access their own files.
• Remove unnecessary metadata exposure in the API response.

This issue highlights the importance of securing media endpoints in WordPress-based websites, as unrestricted access could lead to data leaks and privacy breaches.