WordPress Plugin Vulnerabilities

Backuply – Backup, Restore, Migrate and Clone < 1.2.4 - Admin+ Directory Traversal

Description

The plugin is vulnerable to Directory Traversal via the node_id parameter in the backuply_get_jstree function.
This makes it possible for attackers with administrator privileges or higher to read the contents of arbitrary files on the server, which can contain sensitive information.

Affects Plugins

Plugin icon
backuply
Fixed in 1.2.4

References

CVE
CVE-2024-0697
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/70effa22-fbf6-44cb-9d1b-8625969c10ac

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Bence Szalai
Verified
No
WPVDB ID
a9617715-0c69-4007-91c5-50e2d70b7128

Timeline

Publicly Published
2024-01-26 (about 2 years ago)
Added
2024-01-26 (about 2 years ago)
Last Updated
2024-01-26 (about 2 years ago)

Other

Published
Title
Published
2026-04-15
Title
Career Section < 1.7 - Cross-Site Request Forgery to Arbitrary File Deletion
Published
2017-12-28
Title
Church Admin 0.33.2.1 - Unauthenticated Directory Traversal
Published
2014-08-01
Title
Browser Rejector - Remote & Local File Inclusion
Published
2024-08-15
Title
JetTabs < 2.2.3.1 - Authenticated (Contributor+) Arbitrary Local File Inclusion
Published
2024-08-12
Title
Bit Form Pro < 2.8.0 - Unauthenticated Arbitrary File Deletion