Inactive WordPress Plugins Leading to Cross-Site Request Forgery to Database Downloads
On the 10th and 11th of February, I came across two inactive WordPress plugins relating to database backups. Both plugins had cross-site request forgery vulnerabilities where a logged-in admin could be tricked into clicking a link that will create a backup of the database. The database backups are then created and stored in an unsecured directory via the wp-content/uploads/ directory, which can be easily accessed due to no access restrictions in place.
Database Backups v1.2.2.6 <= CSRF to Database Download
February 10th, while looking through the WordPress plugin Database Backups versions 1.2.2.6 and lower, I found a CSRF (cross-site request forgery) that allowed backups to be created. By default, the backups created are stored in the wp-content/uploads/database-backups/ directory but can be changed to a custom directory via another CSRF located in the plugin options.
Database Backups was last updated over 5 years ago with no contact information to its developer. I contacted the WordPress plugin team regarding the security issues found and the plugin has since been closed.
Database Backups Timeline:
- Feb. 10th 2021: Vulnerabilities discovered.
- Feb. 10th 2021: Searched for developer contact information, was unsuccessful.
- Feb. 10th 2021: Contacted WordPress plugin team about security issues.
- Feb. 10th 2021: Plugin was closed by WordPress plugin team.
- Mar. 5th 2021: Checked to see if plugin was updated, wasn’t.
- Mar. 5th 2021: Disclosed vulnerabilities to WPscan.
- Apr. 7th 2021: Blog post.(:
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24174
https://wpscan.com/vulnerability/350c3e9a-bcc2-486a-90e6-d1dc13ce1bd5
VM Backups v1.0 CSRF to Database Download
February 11th, I came across another outdated and inactive database backup WordPress plugin called VM Backups. VM Backups is also vulnerable to a CSRF that allows database, plugin, and theme backups to be created and stored locally via wp-content/uploads/ directory, or sent to an arbitrary email address.
When creating backups, this plugin uses mysql_connect() which is now depreciated in PHP 7+ leaving this only possible on PHP versions prior to PHP 7. VM Backups was last updated more than 9 years ago, but surprisingly it was still getting active downloads. Like the previous plugin Database Backups, there was also no contact information to the developer which isn’t surprising as the last update was 9 years ago. I contacted the WordPress plugin team about the security issues found and the plugin has since been closed.
VM Backups Timeline:
- Feb. 11th 2021: Vulnerabilities discovered.
- Feb. 11th 2021: Searched for developer contact information, was unsuccessful.
- Feb. 11th 2021: Contacted WordPress plugin team about security issues.
- Feb. 15th 2021: Plugin was closed by WordPress plugin team.
- Mar. 5th 2021: Checked to see if plugin was updated, wasn’t.
- Mar. 5th 2021: Disclosed vulnerabilities to WPscan.
- Apr. 7th 2021: Blog post.(:
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24172
https://wpscan.com/vulnerability/187e6967-6961-4843-a9d5-866f6ebdb7bc
Hi there, I enjoy reading through your article post.
I like to write a little comment to support you.
Thanks for your blog, nice to read. Do not stop.