WordPress Themes Haberadam JSON API - IDOR and Path Disclosure

What is the "WordPress Themes Haberadam JSON API - IDOR and Path Disclosure?" module?

The "WordPress Themes Haberadam JSON API - IDOR and Path Disclosure" module is designed to detect a misconfiguration vulnerability in WordPress themes that use the Haberadam JSON API. This vulnerability can lead to an Insecure Direct Object Reference (IDOR) and path disclosure, potentially exposing sensitive information.

This module has a low severity level and was authored by pussycat0x.

Impact

If the vulnerability is present, an attacker may be able to access restricted resources or obtain sensitive information by manipulating the ID parameter in the API's mobile-info.php endpoint. Additionally, the path disclosure can reveal internal file structure and potentially aid in further attacks.

How does the module work?

The module sends HTTP GET requests to the following paths:

/wp-content/themes/haberadam/api/mobile-info.php?id=
/blog/wp-content/themes/haberadam/api/mobile-info.php?id=

The module then applies the following matching conditions:

- The response body must contain the words "status", "hava", "degree", and "icon". - The response status code must be 200. - The response header must contain the word "text/html".

If all the conditions are met, the module will report a vulnerability.

For more information, refer to the reference.

Metadata:

- Max request: 2 - Google query: inurl:/wp-content/themes/haberadam/