Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
WPEngine _wpeprivate/config.json information disclosure - Vulnerability Database

WPEngine _wpeprivate/config.json information disclosure

Description

WPEngine is a provider of managed WordPress hosting. WPEngine creates a folder named _wpeprivate that contains the config.json file. This file contains highly sensitive information (such as WPEngine database credentials) and should not be publicly accessible. It was confirmed that it's possible to access this file without authorization.

Remediation

You should restrict access to the <strong>_wpeprivate</strong> directory by adjusting your web server configuration.

References

P1 Vulnerability in 60 seconds
WPEngine

Related Vulnerabilities

Trace.axd Detected High
Common tags: Information Disclosure
WordPress Plugin WP Online Store Local File Include and Multiple File Disclosure Vulnerabilities (1.3.1) High
Common tags: Information Disclosure
WordPress Plugin Simple Gmail Login Stack Trace Information Disclosure (1.1.3) High
Common tags: Information Disclosure
WordPress Plugin W3 Total Cache Information Disclosure (0.9.2.4) High
Common tags: Information Disclosure
WordPress Plugin Duplicator-WordPress Migration Arbitrary File Disclosure (0.3.0) High
Common tags: Information Disclosure

Severity

High

Classification

CWE-200
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure