WordPress Plugin Vulnerabilities

BackUpWordPress < 3.14 - Admin+ Directory Traversal

Description

The BackUpWordPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.13 via the hmbkp_directory_browse parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to traverse directories outside of the context in which the plugin should allow.

Affects Plugins

Plugin icon
backupwordpress
Fixed in 3.14

References

CVE
CVE-2024-3034
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c2805cb0-8913-4487-8445-031b7d920e2d

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
2.7 (low)

Miscellaneous

Original Researcher
dk0pf
Verified
No
WPVDB ID
6de88e63-b8c1-47e7-bbde-2b8909eab0de

Timeline

Publicly Published
2024-04-26 (about 2 years ago)
Added
2024-04-26 (about 2 years ago)
Last Updated
2024-04-26 (about 2 years ago)

Other

Published
Title
Published
2025-03-29
Title
Include URL <= 0.3.5 - Authenticated (Contributor+) Arbitrary File Download
Published
2024-06-06
Title
Ovic Importer <= 1.6.3 - Authenticated (Subscriber+) Arbitrary File Download
Published
2026-02-16
Title
WP Maps < 4.8.7 - Subscriber+ Limited Local File Inclusion
Published
2025-05-22
Title
Infocob CRM Forms < 2.4.1 - Authenticated (Editor+) Arbitrary File Download
Published
2025-03-27
Title
Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.8.8 - Unauthenticated Arbitrary File Deletion