Description

This application contains one or more pages with what appears to be a session token in the query parameters. A session token is sensitive information and should not be stored in the URL. URLs could be logged or leaked via the Referer header.

Remediation

The session should be maintained using cookies (or hidden input fields).

References

Session Management - OWASP Cheat Sheet Series

Session fixation | OWASP Foundation

Related Vulnerabilities

WordPress Plugin Product Input Fields for WooCommerce Arbitrary File Download (1.2.6)

WordPress Plugin iThemes Security (formerly Better WP Security) Information Disclosure (5.1.1)

WordPress Plugin WP Online Store Local File Include and Multiple File Disclosure Vulnerabilities (1.3.1)

WordPress Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-0701)

Unprotected JSON file leaking secrets

Severity

Low

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure Configuration