WordPress Plugin Vulnerability Report – BackWPup – Authenticated (Administrator+) Directory Traversal – CVE-2023-5504
Plugin Name: BackWPup
Key Information:
- Software Type: Plugin
- Software Slug: backwpup
- Software Status: Active
- Software Author: wp_media
- Software Downloads: 13,284,859
- Active Installs: 600,000
- Last Updated: November 22, 2023
- Patched Versions: 4.0.2
- Affected Versions: <= 4.0.1
Vulnerability Details:
- Name: BackWPup <= 4.0.1 - Authenticated (Administrator+) Directory Traversal
- Title: Authenticated (Administrator+) Directory Traversal
- Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CVE: CVE-2023-5504
- CVSS Score: 8.7 (High)
- Publicly Published: November 22, 2023
- Researcher: Marco Wotschka
- Description: The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the Log File Folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server. Additionally, default settings will place an index.php and a .htaccess file into the chosen directory (unless already present) when the first backup job is run that are intended to prevent directory listing and file access. This means that an attacker could set the backup directory to the root of another site in a shared environment and thus disable that site.
Summary:
The BackWPup plugin for WordPress has a vulnerability in versions up to and including 4.0.1 that allows authenticated users to traverse directories and store backups in arbitrary folders they have write access to. This has been patched in version 4.0.2.
Detailed Overview:
On November 22nd, 2023, researcher Marco Wotschka publicly disclosed an authenticated directory traversal vulnerability in the popular BackWPup WordPress backup plugin. This vulnerability exists in versions up to and including 4.0.1 and allows authenticated users with at least Administrator access to traverse directories and store backup archives in folders they otherwise would not have access to.
Specifically, the vulnerability exists in the "Log File Folder" setting, which allows configuring a custom folder to store log files. By inserting directory traversal sequences into this path, attackers can escape the intended log file directory and place backups in arbitrary writeable folders on the server. This could enable attackers to overwrite or corrupt other files on shared hosts.
The vulnerability has received a CVSS v3 base score of 8.7 (High severity). All users are strongly advised to update to BackWPup version 4.0.2 or higher as soon as possible to mitigate this vulnerability. No specific exploitation has been publicly reported at the time of writing.
Advice for Users:
- Immediate Action: Update to BackWPup version 4.0.2 or higher as soon as possible.
- Check for Signs of Vulnerability: Review your configured "Log File Folder" under BackWPup settings and ensure no malicious paths have been entered. Also scan files for unexpected changes.
- Alternate Plugins: Consider alternate backup plugins such as UpdraftPlus Backup as a precaution until more is known about exploitation risk.
- Stay Updated: Enable automatic background updates for plugins and themes to receive security fixes in a timely manner.
Conclusion:
The prompt patch from the BackWPup developers addresses this high severity path traversal issue. Users should apply the latest plugin update to prevent unauthorized modification or disclosure of sensitive files. As always, using the principle of least privilege for admin users and staying current with releases are the best practices for securing WordPress.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/backwpup
Detailed Report:
WordPress powers over 43% of all websites, making it an attractive target for hackers seeking security flaws. Unfortunately, a serious vulnerability was recently disclosed in the popular BackWPup backup plugin, underscoring the importance of timely updates. This vulnerability enables authenticated users to traverse directories and store backups far outside intended locations. Left unpatched, this could allow hackers to overwrite web files and disable sites. While no active exploitation has been reported yet, the risks are too severe to ignore.
If you use the BackWPup plugin, update to version 4.0.2 immediately. Even if your site runs flawlessly now, dormant vulnerabilities dramatically lower your security posture over time. We realize keeping WordPress and its plugins current feels never-ending, but this single act does more for security than anything else. Our team is here to help update your site and lock things down. Don’t wait until it’s too late. Reach out today and let’s make sure your site stays secure.
About the BackWPup Plugin
The BackWPup plugin is a popular backup solution used by over 600,000 WordPress websites. It allows administrators to schedule and manage backups of their WordPress sites to ensure continuity in the face of disasters. The plugin has over 13 million total downloads and is developed by German vendor wp_media.
Vulnerability Details
Researcher Marco Wotschka recently disclosed a major vulnerability in BackWPup versions up to and including 4.0.1. This vulnerability allows users with administrator access to traverse directories outside of intended backup locations and store archives far outside the regular WordPress file structure. Attackers could leverage this to overwrite other website files stored on the same server, leading to defacements, data loss, or full site takeovers.
The vulnerability exists specifically in the “Log File Folder” configuration setting, which sets the location for storing backup logs. By inserting directory traversal syntax into the path, the restrictions on backup destinations can be bypassed. The researchers who discovered this flaw assign it a High severity rating of 8.7 on the industry standard CVSS scale.
Impacts of this Vulnerability
This traversal vulnerability poses major risks if left unpatched:
- Overwriting of arbitrary website files depending on server folders that are writeable
- Complete disablement of sites stored on the same server
- Data destruction or theft for other sites sharing access
- Defacements and takeovers by exploiting corrupted files
While not currently being exploited in the wild, data suggests most attackers exploit vulnerabilities within the first two weeks of disclosure. So time is of the essence.
How to Remediate
The good news is that the BackWPup developers have already issued patch in version 4.0.2. To mitigate this vulnerability, users simply need to update to the latest release. You can do this manually via the WordPress admin dashboard.
But as a busy small business owner without time to monitor everything, we recommend enabling automatic background updates. This ensures you get critical security fixes applied to WordPress and plugins without any effort on your part. Our team can get this enabled easily.
For extra security, switching to alternate backup plugins such as UpdraftPlus is suggested until more information is known.
History of BackWPup Vulnerabilities
This is unfortunately not the first vulnerability uncovered in BackWPup. Since March 2011, four other security flaws have been found and patched. This indicates systemic issues with input validation and output encoding within the code base itself. While the developers respond well to disclosures, ongoing vulnerabilities add to the layer of exposure.
Conclusion
Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.
Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.