During examination of the JetBackup plugin, a critical vulnerability was identified in the directory “/wordpress/wp-content/uploads/jetbackup/*”. This flaw exposes extensive information about the WordPress site, including its configuration, directories, and files. Moreover, it grants unauthorized access to sensitive data stored within the database and other files. Exploiting this vulnerability poses a significant threat, potentially leading to the compromise of the entire system.

Main info:

CVECVE-2023-7165
PluginJetBackup < 2.0.9.9
CriticalSuper High
All Time3 361 781
Active installations40 000+
Publicly PublishedJanuary 30, 2023
Last UpdatedJanuary 30, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A3: Sensitive Data Exposure
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7165
https://wpscan.com/vulnerability/ad1ef4c5-60c1-4729-81dd-f626aa0ce3fe/
Plugin Security Certification by CleanTalk

Timeline

November 30, 2023Plugin testing and vulnerability detection in the JetBackup have been completed
November 30, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
December 25, 2023The author fixed the vulnerability and released the plugin update
January 30, 2023Registered CVE-2023-7165

Discovery of the Vulnerability

A severe vulnerability has been discovered in the directory /wordpress/wp-content/uploads/jetbackup/*. This flaw not only exposes extensive information about the site, including its configuration, directories, and files, but more critically, it provides unauthorized access to sensitive data within the database and all data inside. Exploiting this vulnerability poses an imminent threat, leading to potential brute force attacks on password hashes and, subsequently, the compromise of the entire system.

Understanding of Directory Listing + Sensitive Data Exposure attack’s

Directory listing refers to the capability of a web server to display the contents of a directory when no default document is specified. In WordPress, this can occur when directory indexing is enabled or when specific files within directories lack proper access controls. When coupled with sensitive data exposure, as in the case of the JetBackup plugin, it allows attackers to view and download critical information, such as backup files and logs.

For example, an attacker can exploit this vulnerability by accessing the “/wordpress/wp-content/uploads/jetbackup/*” directory, where backup files and logs are stored. Without proper access controls or index files, the attacker gains unrestricted visibility into the contents of the directory, including sensitive backup data and logs.

Exploiting the Directory Listing + Sensitive Data Exposure Vulnerability

POC:

1) Run backup function http://your_site/wordpress/wp-admin/admin.php?page=backup_guard_backups

2) When the scan is over, the attacker must sort through the directory “/wordpress/wp-content/uploads/jetbackup/*”, after which there will be a Directory Listing vulnerability in it, which will allow pumping out all backup and all logs. This vulnerability will be available if a person names the file in a simple way.

So, just add index.php on base directory of backup

___

The potential risks associated with this vulnerability are severe:

  • Unauthorized access to sensitive backup data and logs.
  • Compromise of the entire WordPress system.
  • Potential brute force attacks on password hashes and other sensitive information stored within the backup files.
  • Exposure of confidential information to malicious actors.

In a real-world scenario, an attacker could exploit this vulnerability to gain access to critical backup data and logs, compromising the integrity and security of the WordPress site.

Recommendations for Improved Security

To mitigate the risks posed by this vulnerability and enhance the security of the JetBackup plugin, the following recommendations are proposed:

  • Implement proper access controls and index files within the “/wordpress/wp-content/uploads/jetbackup/*” directory to prevent unauthorized directory listing.
  • Encrypt sensitive backup data to prevent unauthorized access even if directory listing vulnerabilities are present.
  • Regularly audit and monitor file permissions and access controls to identify and remediate vulnerabilities.
  • Employ intrusion detection and prevention systems to detect and block suspicious activities related to unauthorized directory listing and data exposure.
  • Keep the JetBackup plugin updated to the latest version to ensure that known vulnerabilities are patched promptly.
  • Educate website administrators about the importance of securing backup data and the risks associated with directory listing vulnerabilities.

By implementing these recommendations, website administrators can enhance the security of their WordPress sites and mitigate the risks posed by the JetBackup vulnerability.

#WordPressSecurity #SensitiveDataExposure #WebsiteSafety #StayProtected #SuperHighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.
CVE-2023-7165 – JetBackup – Directory Listing to Account Takeover and Sensitive Data Exposure of Backup data – POC

Leave a Reply

Your email address will not be published. Required fields are marked *