Tag Archives: BackUpWordPress – Plugin Vulnerabilities

29 Mar 2022

Vulnerability Details: Authenticated Information Disclosure in BackUpWordPress

This post provides the details of a vulnerability in the WordPress plugin BackUpWordPress not discovered by us, where the discoverer hadn't provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service, you would have already been warned about this vulnerability if your website is vulnerable due to it. You can try out our service for free and then see the details of the vulnerability.

For existing customers, please log in to your account to view the contents of the post.

30 Jun 2017

What Happened With WordPress Plugin Vulnerabilities in June 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during June (and what you have been missing out on if you haven’t signed up yet):

Plugin Security Reviews

Customers of the service can suggest and vote on plugins to have a security review done by us. This month we released details for a review of:

Google XML Sitemaps

Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month

We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities while monitoring hackers activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.

This month the most concerning vulnerabilities we found were a couple of information disclosure vulnerabilities, one that exposes contact form submissions saved by a plugin and the other exposes customer information from CRM plugin. Neither of those has been fixed yet.

Plugin Vulnerabilities We Helped Get Fixed This Month

Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers and the Plugin Directory to make sure that vulnerabilities get fixed. This month we helped to get vulnerabilities fixed in plugins that have 340,000+ active installs:

Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Companion Auto Update, discovered by us
Full path disclosure vulnerability in BackUpWordPress, discovered by us
Reflected cross-site scripting (XSS) vulnerability in Newsletters, discovered by Neven Biruski
Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Responsive Menu, discovered by us
Reflected cross-site scripting (XSS) vulnerability in uCare, discovered by us
Reflected cross-site scripting (XSS) vulnerability in Brute Force Login Protection, discovered by us

Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins

Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:

Information disclosure vulnerability in Save Contact Form 7, discovered by us
Authenticated information disclosure vulnerability in Contact Form 7 Database, discovered by us
Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Count per Day, discovered by us
Authenticated persistent cross-site scripting (XSS) vulnerability in WP Posts Carousel, discovered by us
Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Skype Legacy Buttons, discovered by us
Cross-site request forgery (CSRF) vulnerability in Contact Form 7 – PayPal Add-on, discovered by us
Cross-site request forgery (CSRF) vulnerability in PayPal Digital Downloads, discovered by us
Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in PayPal Shopping Cart, discovered by us
Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Easy PayPal Gift Certificate, discovered by us
Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in PayPal Buy Now Button, discovered by us
Reflected cross-site scripting (XSS) vulnerability in WP Custom Fields Search, discovered by Dimitrios Tsagkarakis
Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Multi Feed Reader, discovered by us
Reflected cross-site scripting (XSS) vulnerability in Product Catalog, discovered by us
Cross-site request forgery (CSRF)/arbitrary file upload vulnerability in Newsletters, discovered by us
Information disclosure vulnerability in UpiCRM, discovered by us
Cross-site request forgery (CSRF)/settings change vulnerability in Salon booking system, discovered by us
Reflected cross-site scripting (XSS) vulnerability in Postman SMTP, discovered by us

Additional Vulnerabilities Added This Month

As usual, there were plenty of other vulnerabilities that we added to our data during the month.

For the most serious vulnerabilities fixed this the plugin didn’t get its version number changed, so those already using the latest version are left vulnerable. We notified the developer over two weeks ago, but they haven’t resolved that yet. If you were using our service you would have been notified about the situation already and could have taken action to protect yourself. As far as we can tell no other data providers even include the vulnerability in their data set (we do much more collective data collection than anyone else).

Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Companion Auto Update, discovered by us
Reflected cross-site scripting (XSS) vulnerability in Memphis Documents Library, discovered by?
Order duplication vulnerability in WC Duplicate Order, discovered by dungengronovius
SQL injection vulnerability in Save Contact Form 7, discovered by ?
Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Responsive Menu, discovered by us
Settings change vulnerability in WP Custom Admin Login Page Logo, discovered by po1838660997
Reflected cross-site scripting vulnerability in Spiffy Calendar, discovered by Dimitrios Tsagkarakis
Authenticated SQL injection vulnerability in Event List, discovered by Dimitrios Tsagkarakis
Persistent cross-site scripting (XSS) vulnerability in RSVP, discovered by ?
File manager access vulnerability in WP File Manager, discovered by ?
Arbitrary file upload vulnerability in WP File Manager, discovered by ?
Arbitrary file viewing vulnerability in WP File Manager, discovered by ?
Authenticated file manager access vulnerability in File Manager, discovered by ?
Authenticated arbitrary file upload vulnerability in File Manager, discovered by ?
Authenticated arbitrary file viewing vulnerability in File Manager, discovered by ?
Reflected cross-site scripting (XSS) vulnerability in WP-Members, discovered by Chris Liu
Authenticated open redirect vulnerability in WordPress Download Manager, discoverd by Gen Sato of Mitsui Bussan Secure Directions, Inc.
Reflected cross-site scripting (XSS) vulnerability in WordPress Download Manager, discovered by Gen Sato of Mitsui Bussan Secure Directions, Inc.
Reflected cross-site scripting (XSS) vulnerability in WordPress Download Manager, discovered by Tom Adams of dxwsecurity
Reflected cross-site scripting (XSS) vulnerability in All-in-One WP Migration, discovered by Oways
Reflected cross-site scripting (XSS) vulnerability in Analytics Tracker, discovered by Arjan Snaterse
Reflected cross-site scripting (XSS) vulnerability in uCare, discovered by us
Authenticated SQL injection vulnerability in Product Catalog, discovered by Lenon Leite
Reflected cross-site scripting (XSS) vulnerability in Brute Force Login Protection, discovered by us
Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Custom Sidebars, discovered by qasuar
Reflected cross-site scripting (XSS) vulnerability in Event Calendar WD, discovered by Chris Liu

24 Apr 2017

WordPress Plugin Security Review: BackUpWordPress

For our seventh security review of a plugin based on the voting of our customers, we reviewed the plugin BackUpWordPress.

If you are not yet a customer of the service you can currently try it free for your first month and then start suggesting and voting on plugins to get security reviews after your first payment for the service. For those already using the service that haven’t already suggested and voted for plugins you can start doing that here.

The review was done on version 3.6.3.1 of BackUpWordPress. We checked for the following issues:

Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
Deserialization of untrusted data
Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
Persistent cross-site scripting (XSS) vulnerabilities in publicly accessible portions of the plugin
Cross-site request forgery (CSRF) vulnerabilities in the admin portion of plugins
SQL injection vulnerabilities (the code that handles requests to the database)
Reflected cross-site scripting (XSS) vulnerabilities
Lack of protection against unintended direct access of PHP files

Results

During the review we only found one minor issue:

Lack of Protection Against Direct Access to Files

Numerous .php files that look like they are not intended to be accessed directly are lacking code at the beginning of the file to restrict direct access to the files. In the files we looked over we only found one minor issue, one of the files causes a full path disclosure vulnerability. That provides the full path to web sites’s location on the server’s filesystem. On its own that can’t be used to do anything, but it could be combined with vulnerability that requires knowing that information or in the case of cPanel based websites it would provide an attacker with the username for cPanel.

Unlike most full path disclosure vulnerabilities in plugins, this one would occur on servers where PHP’s error reporting is not set to show them since the file in question, /vendor/ifsnop/mysqldump-php/tests/test.php, enables all error reporting (which would override the normal setting for that):

error_reporting(E_ALL);

What we also noticed about this is that the file is a testing file for a third party library, which didn’t look to be needed to be included with the plugin. It was in one of two test directories included with third party libraries that come with the plugin.

When we contacted the plugin’s maker about this we were told that the developers had been touched based with about it and “they plan to get this taken care of right away”. Several days after that an issue was started on the GitHub page for the plugin and then was closed and redacted a couple days after that. A month later the plugin hasn’t received any updates, so the issue remains in it for now.