Threat Description

Exposing information (at rest and in transit) to someone not authorized to see it.

Threat Target

Application (WordPress) data.

Attacker Steps

An attacker can do the following for this type of threat:

• Read data in transit
• Read data from logs
• Read data from error messages
• Blog article contents can reveal confidential information
• A hacker can exfiltrate data through SQL Injection attacks
• A hacker can query data if he/she has access directly to the database

Counter-measure

• Use only TLS for data in transit
• Logs should not contain confidential information
• Error messages should be generic
• Blog articles will be approved by admins before they are published
• Admins ...