CVE-2015-20067: 
WordPress vulnerability analysis and mitigation

The WP Attachment Export WordPress plugin before version 0.2.4 contains a vulnerability identified as CVE-2015-20067. This security flaw was discovered by Nitin Venkatesh and publicly disclosed on July 15, 2015. The vulnerability affects the WordPress plugin WP Attachment Export up to version 0.2.3 and was fixed in version 0.2.4 (WPScan).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 Base Score of 7.5 (HIGH). The technical nature of the vulnerability stems from improper access controls in the plugin's implementation. The vulnerability vector is described as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed (NVD).

The vulnerability allows unauthenticated users to download XML data containing all details of attachments and posts on a WordPress-powered site. This includes sensitive information such as privately published posts and password-protected posts with their passwords exposed in plain text (WPScan, Full Disclosure).

The vulnerability was fixed in version 0.2.4 of the WP Attachment Export plugin. The recommended mitigation is to upgrade to this version or newer. The fix was implemented through a code change that can be viewed in the plugin's changelog (Full Disclosure).