Hardcoded API Key Found in Source Code of Orbit Fox by ThemeIsle #895
Labels
bug
This label could be used to identify issues that are caused by a defect in the product.
Comments
TimoMangCut
added
the
bug
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
During a security review of the WordPress plugin Orbit Fox by ThemeIsle version 2.10.45 run in Wordpress version 6.7.2. I discovered that an API key is hardcoded in the source code. This key provides unauthorized access to private photos stored on the API service :
File : themeisle-companion\obfx_modules\mystock-import\init.php
Line : 23
API KEY : "97d007cf8f44203a2e578841a2c0f9ac"
Step-by-step reproduction instructions
Download Orbit Fox by ThemeIsle version 2.10.45.
Inspect the file
themeisle-companion\obfx_modules\mystock-import\init.phpand locate the hardcoded API key.Use the API key to send a request to
https://api.flickr.com/services/rest/?method=flickr.photos.getRecent&api_key=___APIKEY___&page=4&format=json&nojsoncallback=1&extras=url_wThe response includes image data, including private images, which should not be publicly accessible.
Screenshots, screen recording, code snippet or Help Scout ticket
Environment info
No response
Is the issue you are reporting a regression
No
The text was updated successfully, but these errors were encountered: