Description
WordPress Plugin BackWPup is prone to a vulnerability which can be exploited to execute local or remote code on the web server. The Input passed to the component "wp_xml_export.php" via the "wpabs" variable allows the inclusion and execution of local or remote PHP files as long as a "_nonce" value is known. The "_nonce" value relies on a static constant which is not defined in the script meaning that it defaults to the value "822728c8d9". WordPress Plugin BackWPup version 1.6.1 is vulnerable; other versions may also be affected.
Remediation
Update to the latest version
References
http://packetstormsecurity.com/files/view/99799/SOS-11-003.txt
http://www.senseofsecurity.com.au/advisories/SOS-11-003.pdf
http://www.exploit-db.com/exploits/17056/
http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0663.html
Related Vulnerabilities
WordPress Plugin Cart66 Pro Arbitrary File Disclosure (1.5.3)
WordPress Plugin SendGrid Security Bypass (1.11.8)
WordPress Plugin WP Mega Menu Security Bypass (1.4.0)
WordPress Plugin WordPress Users 'uid' Parameter SQL Injection (1.3)
Oracle Application Server CVE-2009-0994 Vulnerability (CVE-2009-0994)