WordPress Simple Backup Plugin Arbitrary File Download Vulnerability
Vulnerability
A vulnerability allowing arbitrary file download has been identified in the Simple Backup plugin for WordPress, affecting versions through 2.7.10. The issue arises in the download_backup_file function, where inadequate capability checks and file type validation permit attackers to download sensitive files, such as wp-config.php, from the affected site.
Impact
Exploitation of this vulnerability allows for arbitrary file download, enabling access to sensitive files on the server, such as the wp-config.php file, which contains critical configuration information and credentials.
Reproduction
To reproduce this vulnerability, access the wp-admin/tools.php page with the backup_manager parameter. Include the download_backup_file parameter with a path traversal payload that points to a sensitive file, such as wp-config.php. The vulnerable function will be triggered, and the specified file will be downloaded.
Remediation
Users are advised to update the Simple Backup plugin to version 2.7.11 or a newer patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.