Backup Bolt < 1.4.0 – Sensitive Data Exposure | CVE 2023-7236

Description

The plugin is vulnerable to Information Exposure via the unprotected access of debug logs. This makes it possible for unauthenticated attackers to retrieve the debug log which may contain information like system errors which could contain sensitive information.

Proof of Concept

Access the error log at:

http://example.com/wordpress/babo-background-error.log

Affects Plugins

backup-bolt

Fixed in 1.4.0

References

CVE

CVE-2023-7236

URL

https://research.cleantalk.org/cve-2023-7236/

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CWE-200

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

2a4557e2-b764-4678-a6d6-af39dd1ba76b

Timeline

Publicly Published

2024-02-20 (about 2 months ago)

Added

2024-02-20 (about 2 months ago)

Last Updated

2024-04-01 (about 1 months ago)

Other

Published

Title

Published

2023-12-07

Title

PayHere Payment Gateway < 2.2.12 - Unauthenticated Log Data Disclosure

Published

2021-12-13

Title

The Plus Addons for Elementor Pro < 5.0.7 - Sensitive Data Disclosure

Published

2024-04-22

Title

FG Joomla to WordPress < 4.21.0 - Sensitive Information Exposure

Published

2023-10-16

Title

Front End PM < 11.4.3 - Sensitive Data Exposure via Directory Listing

Published

2023-10-09

Title

Image Regenerate & Select Crop < 7.3.1 - Sensitive Information Exposure