Hi,

I found a vulnerability in the auto-completion plugin.

The auto-completion plugin exposes an XML file containing all the words typed inside the posts both private and public. This file is exposed without authentication at :

https://www.adomain.tld/plugins/web/service/search/auto-completion/adomain/en.xml

It is possible for an attacker to extract the complete content of the xml file even with the limit set to 10 matching results using API scrapping techniques such as this one: https://podalirius.net/en/articles/scraping-search-apis-depth-first-style/

The information present in this xml file can contain sensitive information such as passwords, IP addresses, usernames and emails. I successfully managed to get a list of valid usernames from this auto-completion XML file in one of my clients apps, without authentication.

Fix: I think the auto-completion plugin should not expose this XML file at all, but if it does it should be at least protected by authentication.

Best regards,