Syncee - Global Dropshipping < 1.0.10 - Authentication Token Disclosure

An unauthenticated attacker can access a URL or endpoint in the Syncee plugin that leaks the administrator's authentication token [ref_id=1]. The plugin fails to restrict access to this sensitive data, so no authentication or special privileges are required to retrieve the token [CWE-200]. Once obtained, the token can be used to impersonate the administrator and take over the account [ref_id=1]. The attack requires only network access to the WordPress site and knowledge of the vulnerable endpoint.

The advisory does not specify the exact file or function responsible for the leak. The vulnerable component is within the Syncee - Global Dropshipping plugin for WordPress, versions before 1.0.10 [ref_id=1].

The advisory states the vulnerability is fixed in version 1.0.10 of the Syncee plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably adds proper access controls to prevent unauthenticated access to the endpoint that exposes the administrator token. The remediation ensures that sensitive authentication data is only disclosed to authorized users.

The advisory does not include explicit reproduction steps beyond stating that the plugin leaks the administrator token [ref_id=1]. The linked WPScan page is the same advisory and does not contain a step-by-step PoC.