User Meta Manager [Information Disclosure]

Description

User Meta Manager for WordPress plugin up to v3.4.6 suffers from a information disclosure vulnerability. Any registered user can perform an a series of AJAX requests, in order to get all contents of usermeta DB table.

usermeta table holds additional information for all registered users. User Meta Manager plugin offers a usermeta table backup functionality. During the backup process the plugin takes no action in protecting the leakage of the table contents to unauthorized (non-admin) users.

PoC

Get as MySQL query

First a backup table must be created

Then we get the table with another request

Get as CSV file

Solution

Upgrade to version 3.4.8