WP Staging (Free < 3.1.3, Pro < 5.1.3) – Unauthenticated Backup Download | CVE 2023-6113 | Plugin Vulnerabilities

Description

The plugin does not prevent visitors from leaking key information about ongoing backups processes, allowing unauthenticated attackers to download said backups later.

Proof of Concept

The plugin creates temporary cache files when backing up sites, which are publicly accessible to anyone. Said cache files contain critical information (such as a backup's secret ID), allowing attackers to find and download the resulting backup files.

While running a new backup (or one automatically runs!), try to get ahold of the following cache file:

https://vulnerable-site.tld/wp-content/uploads/wp-staging/cache/jobCache_backup_job.cache

Once this is done, you will find the resulting backup file at https://vulnerable-site.tld/wp-content/uploads/wp-staging/backups/vulnerable-site.tld_YYYYMMDD-HHMMSS_SECRETID.wpstg

You can find the date ("YYMMDD"), the time ("HHMMSS") and SECRETID in the information leaked from the cache file.

Affects Plugins

Fixed in 3.1.3

Fixed in 5.1.3

References

CVE

URL

https://research.cleantalk.org/cve-2023-6113-wp-staging-unauth-sensitive-data-exposure-to-account-takeover-poc-exploit/

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

5a71049a-09a6-40ab-a4e8-44634869d4fb

Timeline

Publicly Published

2023-12-06 (about 2 years ago)

Added

2023-12-07 (about 2 years ago)

Last Updated

2023-12-13 (about 2 years ago)

Other

Published

Title

Published

2024-06-05

Title

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) < 1.5.110 - Authenticated (Contributor+) Information Exposure

Published

2024-10-28

Title

Move Addons for Elementor < 1.3.6 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates

Published

2025-08-14

Title

Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI < 3.37.3 - Authenticated (Subscriber+) Information Exposure

Published

2024-08-08

Title

Linkify Text <= 1.9.1 - Unauthenticated Full Path Disclosure

Published

2023-06-08

Title

Metform Elementor Contact Form Builder < 3.3.2 - Multiple Subscriber+ Sensitive Information Disclosure Issues