Unrated severityNVD Advisory· Published Aug 29, 2014· Updated May 6, 2026No known patch

CVE-2014-5337

No known patch is available for this vulnerability.

The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.

CVE-2014-5337

Description

The WordPress Mobile Pack plugin before 2.0.2 for WordPress does not properly restrict access to password protected posts, which allows remote attackers to obtain sensitive information via an exportarticles action to export/content.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Wordpress Mobile Pack Project/Wordpress Mobile Pack4 versions
cpe:2.3:a:wordpress_mobile_pack_project:wordpress_mobile_pack:1.2.0:b2:*:*:*:wordpress:*:*+ 3 more
- cpe:2.3:a:wordpress_mobile_pack_project:wordpress_mobile_pack:1.2.0:b2:*:*:*:wordpress:*:*
- cpe:2.3:a:wordpress_mobile_pack_project:wordpress_mobile_pack:1.2.0:b:*:*:*:wordpress:*:*
- cpe:2.3:a:wordpress_mobile_pack_project:wordpress_mobile_pack:1.2.0:*:*:*:*:wordpress:*:*
- cpe:2.3:a:wordpress_mobile_pack_project:wordpress_mobile_pack:*:*:*:*:*:wordpress:*:*range: <=2.0.1
Wpmobilepack/Wordpress Mobile Pack12 versions
cpe:2.3:a:wpmobilepack:wordpress_mobile_pack:1.0.8223:*:*:*:*:wordpress:*:*+ 11 more
- cpe:2.3:a:wpmobilepack:wordpress_mobile_pack:1.0.8223:*:*:*:*:wordpress:*:*
- cpe:2.3:a:wpmobilepack:wordpress_mobile_pack:1.1.1:*:*:*:*:wordpress:*:*
- cpe:2.3:a:wpmobilepack:wordpress_mobile_pack:1.1.2:*:*:*:*:wordpress:*:*
- cpe:2.3:a:wpmobilepack:wordpress_mobile_pack:1.1.3:*:*:*:*:wordpress:*:*
- cpe:2.3:a:wpmobilepack:wordpress_mobile_pack:1.1.91:*:*:*:*:wordpress:*:*
- cpe:2.3:a:wpmobilepack:wordpress_mobile_pack:1.1.92:*:*:*:*:wordpress:*:*
- cpe:2.3:a:wpmobilepack:wordpress_mobile_pack:1.1.9:*:*:*:*:wordpress:*:*
- cpe:2.3:a:wpmobilepack:wordpress_mobile_pack:1.2.1:*:*:*:*:wordpress:*:*
- cpe:2.3:a:wpmobilepack:wordpress_mobile_pack:1.2.3:*:*:*:*:wordpress:*:*
- cpe:2.3:a:wpmobilepack:wordpress_mobile_pack:1.2.4:*:*:*:*:wordpress:*:*
- cpe:2.3:a:wpmobilepack:wordpress_mobile_pack:1.2.5:*:*:*:*:wordpress:*:*
- cpe:2.3:a:wpmobilepack:wordpress_mobile_pack:2.0:*:*:*:*:wordpress:*:*
WordPress/Wordpress Mobile Packllm-fuzzy
Range: <2.0.2
Package: https://wordpress.org/plugins/wordpress-mobile-pack

Patches

Vulnerability mechanics

Root cause

"Missing access control check in export/content.php allows unauthenticated export of password-protected posts."

Attack vector

An unauthenticated attacker can access password-protected posts by sending a request to `/wp-content/plugins/wordpress-mobile-pack/export/content.php?content=exportarticles&callback=x`. The plugin's export endpoint fails to verify the post password before including the post in the JSON output, so the attacker receives the post title, author, date, link, and description (excerpt) without any authentication [ref_id=1]. The attack requires no special privileges, no cookies, and no nonce — only network access to the WordPress site.

Affected code

The vulnerable file is `export/content.php` in the WordPress Mobile Pack plugin. The `exportarticles` action in that file does not enforce WordPress's built-in post password checks, so it returns password-protected posts without requiring the correct password.

What the fix does

The advisory states that the developer fixed the issue in version 2.0.2 of WordPress Mobile Pack [ref_id=1]. No patch diff is available in the bundle, but the remediation guidance is to upgrade to version 2.0.2 or later. The fix presumably adds a password-checking gate (e.g., calling `post_password_required()` or checking the `post_password` field) inside the `exportarticles` handler so that password-protected posts are excluded from the export unless the correct password is supplied.

Preconditions

configWordPress Mobile Pack plugin must be installed and activated (version before 2.0.2)
inputAt least one password-protected post must exist on the site
networkAttacker must be able to send HTTP requests to the WordPress site (network access)

Reproduction

1. Create a password-protected post in WordPress. 2. Ensure the WordPress Mobile Pack plugin (version

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.014
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000