Skip to content
Patchstack Academy

Sensitive Data Exposure

Introduction

This article covers ways to secure the code from the Sensitive Data Exposure vulnerability on WordPress. Before returning the requested information to the user, ensure to check whether the user has the permission to view the resource.

Learn more about Sensitive Data Exposure

How to secure Actions

It is necessary to be aware of the data being returned to the user before proceeding with returning the data. For example, if an Ajax hook is implemented to return the post information, it is necessary to check whether the post is publicly accessible for unauthenticated users. For higher privileged users like administrators, any post type can be returned. Apply a manual logic check for all the features that require the retrieval of data.

add_action("wp_ajax_nopriv_view_course", "view_course");


function view_course(){
    $course_id = urldecode( $_POST['course_id'] ?? '' );


    if ( empty( $course_id ) ) {
        wp_send_json_error( [ 'message' => 'Invalid Course ID' ] );
    }


    $course = get_post( $course_id );


    if ( ! $course || 'publish' !== get_post_status( $course ) ) {
        wp_send_json_error( [ 'message' => 'Course not found' ] );
    }


    wp_send_json_success( [
        'id'      => $course->ID,
        'title'   => $course->post_title,
        'content' => $course->post_content,
        'excerpt' => $course->post_excerpt,
        'url'     => get_permalink( $course->ID ),
    ] );
};

In the above example, the strict check for the β€œpublish” status of the post prevents malicious users from accessing the sensitive data.

How to secure Logs

If the log file with a predictable filename and publicly accessible directory is used, it can lead to sensitive data exposure. In order to prevent it, there are multiple ways of implementing the log file.

Log filename randomization

One way to fix this is to use a random name for the log file. This way, an attacker won’t be able to predict or find the log even if it’s in the publicly accessible directory.

function write_sensitive_log($message) {
    $unique_id = hash('sha256', get_current_user_id() . date('Y-m-d-H'));
     $log_file = WP_CONTENT_DIR . '/debug-' . $unique_id . '.log'; // Unpredictable
    file_put_contents($log_file, $message . "\n", FILE_APPEND);
}


add_action('init', function() {
    if (is_user_logged_in()) {
        $current_user = wp_get_current_user();
        $email = $current_user->user_email;
        write_sensitive_log('User email: ' . $email);
    }
});

Adding an .htaccess file

The use of an .htaccess file can prevent attackers from publicly accessing the log file.

function write_sensitive_log_secure($message) {
    $upload_dir = wp_upload_dir();
    $log_dir = $upload_dir['basedir'] . '/debug-logs';


    if (!file_exists($log_dir)) {
        wp_mkdir_p($log_dir);


        file_put_contents($log_dir . '/.htaccess', "Deny from all\n"); // Prevent read access
    }


    $log_file = $log_dir . '/secure-log.log';


    file_put_contents($log_file, $message . "\n", FILE_APPEND | LOCK_EX);
}


add_action('init', function() {
    if (is_user_logged_in()) {
        $current_user = wp_get_current_user();
        $email = $current_user->user_email;
        write_sensitive_log_secure('User email: ' . $email);
    }
});

Contributors

dhakalananda