Backup by Supsystic <= 2.3.9 – Authenticated Arbitrary File Download and Deletion

Description

The plugin does not check for path traversal attacks, allowing administrator to download and delete any file from the web server. Due to the lack of CSRF check on the file deletion, unauthenticated attacker could make a logged in administrator delete files from the web server as well

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Plugins

backup-by-supsystic

No known fix

References

Exploitdb

49545

Classification

Type

TRAVERSAL

OWASP top 10

A1: Injection

CWE

CWE-22

CVSS

9.1 (critical)

Miscellaneous

Original Researcher

Erik David Martin

Verified

Yes

WPVDB ID

c2c2feeb-e380-4ec9-be3c-8ffa364c7dcf

Timeline

Publicly Published

2021-02-08 (about 5 years ago)

Added

2021-02-08 (about 5 years ago)

Last Updated

2021-02-09 (about 5 years ago)

Other

Published

Title

Published

2023-03-20

Title

Hummingbird < 3.4.2 - Unauthenticated Path Traversal

Published

2023-08-14

Title

Orders Tracking for WooCommerce < 1.2.6 - Admin+ Arbitrary File Access/Read

Published

2023-05-15

Title

MW WP Form < 4.4.3 - Unauthenticated Path Traversal

Published

2015-09-30

Title

mTheme Unus < 2.3 - Directory Traversal

Published

2022-10-28

Title

Ultimate Member < 2.5.1 - Admin+ RCE