WriteFreely through 0.15.1, when MySQL is used, allows local users to discover credentials by reading config.ini.
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.