Sense of Security is one of Australia’s most trusted providers of cyber resilience, information security and risk management services.

Latest announcements
© Copyright Sense of Security

Security Advisory – SOS-11-012 – WordPress Plugin – BackWPUp 2.1.4

Release Date: 17-Oct-2011

Last Update:

Vendor Notification Date: 14-Oct-2011

Product: BackWPUp

Platform: WordPress

Affected versions: 2.1.4

Severity Rating: High

Impact: System access

Attack Vector: Remote without authentication

Solution Status: Upgrade to 2.1.5

CVE reference: Not yet assigned


A vulnerability has been discovered in the WordPress plugin BackWPup 2.1.4 which can be exploited to execute local or remote code on the web server.

There is a lack of data validation on the BackWPUpJobTemp POST parameter of job/wp_export_generate.php allowing an attacker to specify FTP resources as input.

This resource is downloaded and deserialised by the wp_export_generate.php script and variables from this deserialisation are later passed to require_once.

Please refer to the PDF version of this advisory for proof of concept code examples.


Upgrade to BackWPUp 2.1.5 of above.

Discovered By

Phil Taylor from Sense of Security Labs.

Our expert consultants are here to help you. For all your Cyber Security needs please contact us today.

No Comments

Sorry, the comment form is closed at this time.