Security readout for executives and security teams
Plain-English summary
This vulnerability affects the WP Attachment Export WordPress plugin before 0.2.4. The sources say missing access controls let unauthenticated visitors download XML data containing attachment and post details. That can expose internal content metadata or unpublished details, but the provided sources do not establish active exploitation or a CVSS score.
Executive priority
Treat this as a focused WordPress data-exposure issue. Prioritize internet-facing WordPress sites, especially those handling sensitive documents, drafts, client material, or regulated content. Urgency is moderate unless sensitive data exposure is confirmed.
Technical view
CVE-2015-20067 is a CWE-862 missing authorization issue in WP Attachment Export. Versions before 0.2.4 reportedly expose an XML export containing attachment and post details without requiring authentication. Public references include WPScan, Full Disclosure, and a scanner module, but the bundle provides no CVSS vector and no KEV listing.
Likely exposure
Exposure is likely limited to public WordPress sites that installed WP Attachment Export before 0.2.4. Sites without this plugin are not indicated as affected. The bundle has an affected-version inconsistency: the title says before 0.2.4, while the affected entry lists 0.2.4.
Exploitation context
The issue is unauthenticated data download, so exploitation would not require a valid WordPress account if the vulnerable plugin is reachable. The source bundle does not show CISA KEV status, active exploitation, mass scanning, or confirmed compromise activity.
Researcher notes
Evidence is enough to identify the bug class, affected plugin, and broad impact. Evidence is incomplete for CVSS, exact affected version boundaries beyond “before 0.2.4,” exploit prevalence, and vendor-maintained remediation notes. Avoid assuming compromise without log or incident evidence.
Mitigation direction
- Inventory WordPress sites for WP Attachment Export installations.
- Update WP Attachment Export to 0.2.4 or later where available.
- Disable or remove the plugin if it is no longer required.
- Review vendor or WPScan guidance for any newer remediation detail.
- Assess exposed attachment and post metadata for business sensitivity.
Validation and detection
- Confirm whether WP Attachment Export is installed on each WordPress site.
- Record the installed plugin version and compare it with before 0.2.4 exposure.
- Check whether unauthenticated users can access plugin export functionality without testing payloads.
- Review web logs for anonymous access to plugin export-related resources.
- Document any exposed attachment or post details for remediation tracking.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-862: Authorization and privilege behavior lookup
Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2015-20067 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- https://seclists.org/fulldisclosure/2015/Jul/73CVE reference · x_refsource_MISC
- https://github.com/espreto/wpsploit/blob/master/modules/auxiliary/scanner/http/wp_attachment_export_file_download.rbCVE reference · x_refsource_MISC
- https://wpscan.com/vulnerability/d1a9ed65-baf3-4c85-b077-1f37d8c7793aCVE reference · x_refsource_MISC
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Missing Authorization
Missing Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
