WordPress Plugin Vulnerabilities
JetBackup < 2.0.9.9 - Directory Listing Exposing Backups
Description
The plugin doesn't use index files to prevent public directory listing of sensitive directories in certain configurations, which allows malicious actors to leak backup files.
A partial fix was released in 2.0.9.6, removing the ability to list the directory but still allowing direct access to the files by only guessing the timestamp of the backup.
Proof of Concept
1) Run backup function http://your_site/wordpress/wp-admin/admin.php?page=backup_guard_backups 2) When the scan is over, the attacker must sort through the directory "/wordpress/wp-content/uploads/jetbackup/*", after which there will be a Directory Listing vulnerability in it, which will allow pumping out all backup and all logs. This vulnerability will be available if a person names the file in a simple way.
Affects Plugins
References
Classification
Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
CWE
Miscellaneous
Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-11-30 (about 5 months ago)
Added
2024-02-02 (about 3 months ago)
Last Updated
2024-02-07 (about 3 months ago)