BulletProof Security < 5.2 – Sensitive Information Disclosure | CVE 2021-39327 | Plugin Vulnerabilities

Description

The plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files.

Proof of Concept

https://example.com/wp-content/bps-backup/logs/db_backup_log.txt
https://example.com/wp-content/plugins/bulletproof-security/admin/htaccess/db_backup_log.txt

Affects Plugins

bulletproof-security

Fixed in 5.2

References

CVE

Exploitdb

URL

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39327

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Vincent Rakotomanga

Verified

Yes

WPVDB ID

8a69ba6e-b3d1-47a2-b7e5-fbe199bfb3d0

Timeline

Publicly Published

2021-09-16 (about 4 years ago)

Added

2021-09-16 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2026-01-16

Title

WP Hotel Booking < 2.2.8 - Unauthenticated Sensitive Information Exposure via 'email' Parameter

Published

2026-02-17

Title

Simple Ajax Chat < 20260217 - Unauthenticated Information Exposure

Published

2025-02-04

Title

WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto < 8.0.9 - Unauthenticated Sensitive Information Exposure

Published

2024-04-25

Title

Solid Affiliate <= 1.9.1 - Sensitive Information Exposure

Published

2024-07-26

Title

Add Admin JavaScript <= 2.0 - Unauthenticated Full Path Dislcosure