The BackWPup plugin for WordPress has been identified to contain a Directory Traversal vulnerability in versions up to, and including, 4..1. The exploit allows authenticated attackers to store their backups in arbitrary folders on the server, so long as the server can write to those predetermined folders. In a shared environment, an attacker could potentially set the backup directory to the root of another site, disabling the affected site.

Exploit Details

The vulnerability is present in the plugin's function to handle log files. By exploiting this vulnerability, an authenticated attacker can store backups in unauthorized directories/folders.

Original References

- BackWPup Plugin Official Website
- CVE-2023-5504 Vulnerability Details
- WordPress Vulnerability Database

Below is a code snippet representing how the vulnerability could be exploited by an attacker

function backwpup_logfile_folder( $folder, $jobid ) {
    $new_folder = $_POST['new_folder'];

    if( isset( $new_folder ) && !empty( $new_folder ) ) {
        $folder = '../../../../' . $new_folder;
    }

    return $folder;
}

This sample code demonstrates how the attacker could set the $new_folder variable to navigate through the directory, effectively exploiting the directory traversal vulnerability.

Mitigation

To fix the vulnerability, users of the BackWPup plugin are advised to upgrade to the latest version, which is 4..2 or newer. The update resolves the directory traversal issue by utilizing a new method for handling log file folders and adding additional security checks to ensure authorized access.

You can download the latest version of the plugin from the official BackWPup website.

Additionally, it is recommended to use proper access controls and permissions on the server and hosting environment to prevent an authenticated attacker from storing harmful backups on the server.

Conclusion

By being aware of the CVE-2023-5504 vulnerability in the BackWPup plugin for WordPress and understanding how attackers can exploit it, users can take preventative measures to secure their sites, such as updating to the latest version of the plugin. Implementing strong access controls and permissions on the server will further discourage unauthorized access and maintain the integrity of a website's data. Always staying up to date with the latest security patches and updates is the first step in ensuring a safe and secure online experience.

Timeline

Published on: 01/11/2024 09:15:47 UTC
Last modified on: 01/17/2024 19:50:57 UTC