module
WP Database Backup RCE
| Disclosed | Created |
|---|---|
| 2019-04-24 | 2019-07-23 |
Disclosed
2019-04-24
Created
2019-07-23
Description
There exists a command injection vulnerability in the Wordpress plugin
`wp-database-backup` for versions
For the backup functionality, the plugin generates a `mysqldump` command
to execute. The user can choose specific tables to exclude from the backup
by setting the `wp_db_exclude_table` parameter in a POST request to the
`wp-database-backup` page. The names of the excluded tables are included in
the `mysqldump` command unsanitized. Arbitrary commands injected through the
`wp_db_exclude_table` parameter are executed each time the functionality
for creating a new database backup are run.
Authentication is required to successfully exploit this vulnerability.
`wp-database-backup` for versions
For the backup functionality, the plugin generates a `mysqldump` command
to execute. The user can choose specific tables to exclude from the backup
by setting the `wp_db_exclude_table` parameter in a POST request to the
`wp-database-backup` page. The names of the excluded tables are included in
the `mysqldump` command unsanitized. Arbitrary commands injected through the
`wp_db_exclude_table` parameter are executed each time the functionality
for creating a new database backup are run.
Authentication is required to successfully exploit this vulnerability.
Authors
Mikey Veenstra / Wordfence
Shelby Pace
Shelby Pace
Platform
Linux,Windows
Architectures
x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.