Release Date: 17-Oct-2011

Last Update: –

Vendor Notification Date: 14-Oct-2011

Product: BackWPUp

Platform: WordPress

Affected versions: 2.1.4

Severity Rating: High

Impact: System access

Attack Vector: Remote without authentication

Solution Status: Upgrade to 2.1.5

CVE reference: Not yet assigned

Details

A vulnerability has been discovered in the WordPress plugin BackWPup 2.1.4 which can be exploited to execute local or remote code on the web server.

There is a lack of data validation on the BackWPUpJobTemp POST parameter of job/wp_export_generate.php allowing an attacker to specify FTP resources as input.

This resource is downloaded and deserialised by the wp_export_generate.php script and variables from this deserialisation are later passed to require_once.

Please refer to the PDF version of this advisory for proof of concept code examples.

Solution

Upgrade to BackWPUp 2.1.5 of above.

Discovered By

Phil Taylor from Sense of Security Labs.