CVE-2023-5504

BackWPup <= 4.0.1 - Authenticated (Administrator+) Directory Traversal

Severity Score

8.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the Log File Folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server. Additionally, default settings will place an index.php and a .htaccess file into the chosen directory (unless already present) when the first backup job is run that are intended to prevent directory listing and file access. This means that an attacker could set the backup directory to the root of another site in a shared environment and thus disable that site.

El complemento BackWPup para WordPress es vulnerable a Directory Traversal en versiones hasta la 4.0.1 incluida a través de la carpeta de archivos de registro. Esto permite a los atacantes autenticados almacenar copias de seguridad en carpetas arbitrarias en el servidor, siempre que el servidor pueda escribir en ellas. Además, la configuración predeterminada colocará un archivo index.php y .htaccess en el directorio elegido (a menos que ya esté presente) cuando se ejecute el primer trabajo de copia de seguridad, cuyo objetivo es evitar la lista de directorios y el acceso a archivos. Esto significa que un atacante podría establecer el directorio de respaldo en la raíz de otro sitio en un entorno compartido y así desactivar ese sitio.

*Credits: Marco Wotschka

CVSS Scores

NISTv3.1 8.7

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-10-10 CVE Reserved
2023-11-22 CVE Published
2024-01-18 EPSS Updated
2024-11-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (3)

URL	Tag	Source
https://plugins.trac.wordpress.org/browser/backwpup/trunk/inc/class-page-settings.php?rev=2818974#L457	Issue Tracking
https://www.wordfence.com/threat-intel/vulnerabilities/id/e830fe1e-1171-46da-8ee7-0a6654153f18?source=cve	Product

URL	Date	SRC

URL	Date	SRC
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3000176%40backwpup%2Ftrunk&old=2980789%40backwpup%2Ftrunk&sfp_email=&sfph_mail=	2024-01-17

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Inpsyde Search vendor "Inpsyde"		Backwpup Search vendor "Inpsyde" for product "Backwpup"				<= 4.0.1 Search vendor "Inpsyde" for product "Backwpup" and version " <= 4.0.1"		wordpress		Affected