Information disclosure vulnerability fixed in WordPress Doneren Met Mollie plugin.

The WordPress Doneren Met Mollie plugin (4,000+ active installations) fixed a broken access control vulnerability affecting version 2.8.4 and below that could lead to authenticated information disclosure.

Authenticated Information Disclosure

In the “doneren-met-mollie/includes/class-admin.php” script L19, the plugin loads the dmm_export_donations function with the admin_post_dmm_export action:

19   add_action('admin_post_dmm_export', array($this, 'dmm_export_donations'));
...
...
266   public function dmm_export_donations()
267   {
268      header('Content-Type: text/csv; charset=utf-8');
269      header('Content-Disposition: attachment; filename=donations.csv');
270      $output = fopen('php://output', 'w');
271   
272      fputcsv($output, array(
273         __('Date/time', 'doneren-met-mollie'),
274         __('Name', 'doneren-met-mollie'),
275         __('Company name', 'doneren-met-mollie'),
276         __('Email address', 'doneren-met-mollie'),
277         __('Phone number', 'doneren-met-mollie'),
278         __('Address', 'doneren-met-mollie'),
279         __('Zipcode', 'doneren-met-mollie'),
280         __('City', 'doneren-met-mollie'),
281         __('Country', 'doneren-met-mollie'),
282         __('Project', 'doneren-met-mollie'),
283         __('Message', 'doneren-met-mollie'),
284         __('Currency', 'doneren-met-mollie'),
285         __('Amount', 'doneren-met-mollie'),
286         __('Status', 'doneren-met-mollie'),
287         __('Payment method', 'doneren-met-mollie'),
288         __('Recurring payment', 'doneren-met-mollie'),
289         __('Donation ID', 'doneren-met-mollie'),
290         __('Payment ID', 'doneren-met-mollie'),
291      ));
...
...

Because the function doesn’t check user capabilities, any logged-in user can export the CSV file, which includes donations and all donors personal information, by sending a GET /wp-admin/admin-post.php?action=dmm_export request.

Recommendations

Update immediately if you have version 2.8.4 or below installed. If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Timeline

Due to unsuccessful attempts to contact the authors on January 12, 2021, the issue was escalated to the WordPress Plugins Team on January 15 and a new version 2.8.5 was released on January 16.

Stay informed about the latest vulnerabilities