WordPress "Timeleaks": when an image you thought was private is public

Most people think 'draft' means private and 'delete' means gone. With media files hosted by popular blog and CMS systems, that's not always true.

Cybersecurity researchers from Labs at ITRES have uncovered a systemic privacy flaw affecting millions of WordPress websites using the popular Jetpack plugin.

The discovery, dubbed "CMS Media Timeleaks," reveals that sensitive images, even those deleted or redacted by editors, often remain publicly indexed and accessible through automated sitemaps.

For years, website editors have operated under the assumption that replacing a sensitive image with another or deleting a block in the WordPress editor removes that content from public view.

The research from ITRES proves this is a dangerous misconception. Due to the way Jetpack generates image sitemaps, original, unredacted files remain "advertised" to search engines and scrapers, creating a significant Operational Security (OpSec) risk.

THE TIMELEAK ISSUE

The research identifies two primary ways data "leaks" through the digital timeline.

1. Leaking the Past: An editor replaces a sensitive screenshot with a blurred version. While the blog post looks safe, Jetpack's sitemap continues to provide a direct link to the original, unredacted file.

2. Leaking the Future: Images uploaded to a "Draft" post (such as internal diagrams or confidential research) are often assigned a public URL and remain reachable before the article is published.

WHY THIS MATTERS

If a team uploads screenshots, drafts, or sensitive material, this can accidentally expose internal documents, unreleased announcements, private/pre-redacted screenshots or any kind of prívate data.

A DESIGN FLAW, NOT A BUG

When reported to Automattic (the creators of WordPress.com and Jetpack), the vendor stated the behavior is "working as intended," noting that media attachments are public by default.

"This is a classic mismatch between how software is built and how humans actually use it," says the research team at ITRES. "Engineers see a feature; a cybersecurity professional sees a confidentiality flaw. If you redact a document, you expect the secret to be gone. In the current CMS model, that secret is often just one click away in a hidden list."

DETECTION AND IMPACT

The researchers performed a shallow scan of over 20,000 websites and confirmed the leak is widespread, affecting everything from personal blogs to high-profile cybersecurity firms. To help the community, ITRES has released JetGhost, an open-source tool that allows website owners to scan their own sitemaps for "ghost" images.

Full Analysis: https://labs.itresit.es/2025/12/17/cms-media-timeleaks-jetpack-wordpress

Detection tool:
https://github.com/itres-labs/JetGhost-Suite

ITRESIT SOLUCIONES INFORMATICAS SL
Avenida de Murcia 23 Bajo
30110 · Cabezo de Torres, Murcia
+34 868 300 513

Eva Adanez - Marketing Manager
marketing@itresit.es

Labs at ITRES is the offensive research division of ITRES, a leading European cybersecurity firm specializing in pentesting, incident response, and advanced threat intelligence. They focus on identifying systemic flaws in modern digital infrastructure to help organizations stay one step ahead of emerging threats.

This release was published on openPR.