severity_rating: medium created_at: 2018-11-23 03:05:53 vendor: olx https://hackerone.com/olx bounty_amount:

Hi, I found that the site blog.praca.olx.pl is exposing the content of wp-config.php file in plaintext due that a misconfiguration in the file-manager plugin.

The information can be accessed here: http://blog.praca.olx.pl/wp-content/uploads/file-manager/log.txt

The credentials are stored in the log.txt file as can be seen in the following image:

An attacker could use this information for further attacks.

Regards,

Impact

An attacker could use this information for further attacks if the database access is achieved all the information of the blog will be in risk and could be used to achieved remote code execution via file upload in the admin panel.