Description

This application contains one or more pages with what appears to be a session token in the query parameters. A session token is sensitive information and should not be stored in the URL. URLs could be logged or leaked via the Referer header.

Remediation

The session should be maintained using cookies (or hidden input fields).

References

Session Management - OWASP Cheat Sheet Series

Session fixation | OWASP Foundation

Related Vulnerabilities

Password found in server response

WordPress 5.3.x Multiple Vulnerabilities (5.3 - 5.3.15)

WordPress Plugin Popup Maker-Popup for opt-ins, lead gen, & more Multiple Vulnerabilities (1.17.1)

WordPress Plugin W3 Total Cache Information Disclosure (0.9.2.4)

WordPress Plugin Popup Maker-Popup for opt-ins, lead gen, & more Information Disclosure (1.8.11)

Severity

Low

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure Configuration