United Nations WordPress Site Exposes Thousands of Resumes

Disclosure vulnerabilities in a web app from the United Nations leave open to public access CVs from job applicants and the organization failed to plug the leak despite receiving a private report on the issues.

Security researcher Mohamed Baset of penetration testing company Seekurity found a path disclosure and an information disclosure bug in one of the UN's WordPress websites, which gives unfettered access to job applications since 2016. He claims that thousands of documents have been uploaded.

Baset noticed that job applicants seeking a position with the UN can send their resumes through an improperly configured web application. The researcher found that this oversight left open the access to a directory index of what appear to be documents of individuals looking for a job.

Although fixing the problem is a simple matter, Baset says he did not receive the expected answer following his reporting of the problem.

Throwing the responsibility

A month after sending his initial report on August 6, two messages asking for the status of his disclosure and another email announcing full public disclosure, Baset says he got a reply.

According to the researcher, "someone from UN@Security" said that the vulnerability did not "pertain to the United Nations Secretariat, and is for UNDP [United Nations Development Programme].” This was on September 5.

Today, 48 days after making a responsible disclosure to infosec@un.org, Baset decided to release the details to the public.

"The discovered vulnerabilities have been responsibly reported to the United Nations along with other discovered issues (not mentioned here) including the technical details on how to reproduce the issues," the researcher announced.

Baset's recommendation to WordPress website owners is to keep their installation up to date as well as of any plugins; they should lock any sensitive files from public view and restrict access to all folders under /wp-content/*.

Baset also published a video explaining how he discovered the path to the directory holding the sensitive data:

BleepingComputer sent an email to UNDP alerting them of the exposure of sensitive job applicant details. We have not received a reply by publishing time.