Description

WordPress Plugin BackWPup is prone to a vulnerability which can be exploited to execute local or remote code on the web server. The Input passed to the component "wp_xml_export.php" via the "wpabs" variable allows the inclusion and execution of local or remote PHP files as long as a "_nonce" value is known. The "_nonce" value relies on a static constant which is not defined in the script meaning that it defaults to the value "822728c8d9". WordPress Plugin BackWPup version 1.6.1 is vulnerable; other versions may also be affected.

Remediation

Update to the latest version

References

http://packetstormsecurity.com/files/view/99799/SOS-11-003.txt

http://www.senseofsecurity.com.au/advisories/SOS-11-003.pdf

http://www.exploit-db.com/exploits/17056/

http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0663.html

http://secunia.com/advisories/43565/

Related Vulnerabilities

WordPress Plugin Cart66 Pro Arbitrary File Disclosure (1.5.3)

WordPress Plugin SendGrid Security Bypass (1.11.8)

WordPress Plugin WP Mega Menu Security Bypass (1.4.0)

WordPress Plugin WordPress Users 'uid' Parameter SQL Injection (1.3)

Oracle Application Server CVE-2009-0994 Vulnerability (CVE-2009-0994)

Severity

High

Classification

CVE-2011-4342 CVE-2011-5208 CWE-22 CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Code Execution