"The premature exposure of the OBR's November 2025 Economic and Fiscal Outlook (EFO) followed from a misunderstanding of a WordPress plugin called Download Monitor and a failure to configure the server to block direct access to download directories. The errors allowed non-government personnel - including, perhaps, journalists - to view the EFO prior to publication. Whoever gained access to the information was looking for it - predictable resource identifiers represent a longstanding security vulnerability."
"WordPress is the world's most popular content management system, but not so much with the UK government. The country's Office for Budget Responsibility (OBR) has blamed an inadvertent budget disclosure last week on misconfiguration of its WordPress website. The snafu, first reported by Reuters, roiled UK markets, elicited scathing political criticism, and prompted the fiscal watchdog to apologize. The OBR promised a swift investigation, helmed by OBR's Oversight Board members Baroness Sarah Hogg and Dame Susan Rice."
An inadvertent disclosure exposed the Office for Budget Responsibility's unpublished November 2025 Economic and Fiscal Outlook due to misconfiguration of a WordPress plugin (Download Monitor) and failure to block direct access to download directories. Predictable resource identifiers and unprotected directories enabled non-government personnel to discover the file. Server logs show the first request for the URL at 05:16 GMT on November 26 and 44 unsuccessful requests from seven unique IP addresses before a third-party web developer uploaded the file between 11:30 and 11:35, after which the URL was accessed. An initial accessing IP had made prior requests, indicating deliberate searching for the resource. Oversight Board members Baroness Sarah Hogg and Dame Susan Rice are leading the investigation with Ciaran Martin consulted.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]