During examination of the JetBackup plugin, a critical vulnerability was identified in the directory “/wordpress/wp-content/uploads/jetbackup/*”. This flaw exposes extensive information about the WordPress site, including its configuration, directories, and files. Moreover, it grants unauthorized access to sensitive data stored within the database and other files. Exploiting this vulnerability poses a significant threat, potentially leading to the compromise of the entire system.
Main info:
| CVE | CVE-2023-7165 |
| Plugin | JetBackup < 2.0.9.9 |
| Critical | Super High |
| All Time | 3 361 781 |
| Active installations | 40 000+ |
| Publicly Published | January 30, 2023 |
| Last Updated | January 30, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A3: Sensitive Data Exposure |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7165 https://wpscan.com/vulnerability/ad1ef4c5-60c1-4729-81dd-f626aa0ce3fe/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| November 30, 2023 | Plugin testing and vulnerability detection in the JetBackup have been completed |
| November 30, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 25, 2023 | The author fixed the vulnerability and released the plugin update |
| January 30, 2023 | Registered CVE-2023-7165 |
Discovery of the Vulnerability
A severe vulnerability has been discovered in the directory /wordpress/wp-content/uploads/jetbackup/*. This flaw not only exposes extensive information about the site, including its configuration, directories, and files, but more critically, it provides unauthorized access to sensitive data within the database and all data inside. Exploiting this vulnerability poses an imminent threat, leading to potential brute force attacks on password hashes and, subsequently, the compromise of the entire system.
Understanding of Directory Listing + Sensitive Data Exposure attack’s
Directory listing refers to the capability of a web server to display the contents of a directory when no default document is specified. In WordPress, this can occur when directory indexing is enabled or when specific files within directories lack proper access controls. When coupled with sensitive data exposure, as in the case of the JetBackup plugin, it allows attackers to view and download critical information, such as backup files and logs.
For example, an attacker can exploit this vulnerability by accessing the “/wordpress/wp-content/uploads/jetbackup/*” directory, where backup files and logs are stored. Without proper access controls or index files, the attacker gains unrestricted visibility into the contents of the directory, including sensitive backup data and logs.
Exploiting the Directory Listing + Sensitive Data Exposure Vulnerability
POC:
1) Run backup function http://your_site/wordpress/wp-admin/admin.php?page=backup_guard_backups
2) When the scan is over, the attacker must sort through the directory “/wordpress/wp-content/uploads/jetbackup/*”, after which there will be a Directory Listing vulnerability in it, which will allow pumping out all backup and all logs. This vulnerability will be available if a person names the file in a simple way.
So, just add index.php on base directory of backup
___
The potential risks associated with this vulnerability are severe:
- Unauthorized access to sensitive backup data and logs.
- Compromise of the entire WordPress system.
- Potential brute force attacks on password hashes and other sensitive information stored within the backup files.
- Exposure of confidential information to malicious actors.
In a real-world scenario, an attacker could exploit this vulnerability to gain access to critical backup data and logs, compromising the integrity and security of the WordPress site.
Recommendations for Improved Security
To mitigate the risks posed by this vulnerability and enhance the security of the JetBackup plugin, the following recommendations are proposed:
- Implement proper access controls and index files within the “/wordpress/wp-content/uploads/jetbackup/*” directory to prevent unauthorized directory listing.
- Encrypt sensitive backup data to prevent unauthorized access even if directory listing vulnerabilities are present.
- Regularly audit and monitor file permissions and access controls to identify and remediate vulnerabilities.
- Employ intrusion detection and prevention systems to detect and block suspicious activities related to unauthorized directory listing and data exposure.
- Keep the JetBackup plugin updated to the latest version to ensure that known vulnerabilities are patched promptly.
- Educate website administrators about the importance of securing backup data and the risks associated with directory listing vulnerabilities.
By implementing these recommendations, website administrators can enhance the security of their WordPress sites and mitigate the risks posed by the JetBackup vulnerability.
#WordPressSecurity #SensitiveDataExposure #WebsiteSafety #StayProtected #SuperHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
