Basic-auth app bundle credential exposure in gatsby-source-wordpress

Vulnerability

The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks HTTP Basic Authentication credentials configured in the auth.htaccess section of gatsby-config.js into the built app.js bundle. This occurs during build-time when the plugin processes authentication variables without filtering them from the client-side bundle. Only users who have initialized basic authentication credentials in their gatsby-config.js are affected [1][2].

Exploitation

An attacker does not require any special network position or authentication; they only need access to the publicly served app.js file of a Gatsby site built with an affected version. By examining the JavaScript bundle (e.g., via browser developer tools or direct download), the attacker can extract the plaintext username and password that were intended for .htaccess protection [1][2].

Impact

Successful exploitation results in the disclosure of HTTP Basic Authentication credentials (username and password) for the WordPress site's .htaccess protection. This could allow an attacker to gain unauthorized access to the WordPress admin panel or other protected resources, potentially leading to further compromise of the site [1][2].

Mitigation

A patch has been introduced in gatsby-source-wordpress@4.0.8 and gatsby-source-wordpress@5.9.2 that filters all variables specified in the auth: { } section from the bundle. Users should upgrade to the latest release, then run gatsby clean followed by gatsby build. As a workaround, one may manually edit the app.js file post-build to remove the leaked credentials [1][2].