WP Database Backup OS Command Injection Vulnerability

A command injection vulnerability has been identified in the WP Database Backup plugin for WordPress, affecting versions prior to 5.2. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system by exploiting the plugin's backup functionality. The issue arises because the plugin's 'mysqldump' command, used for database backups, includes unsanitized user input from the 'wp_db_exclude_table' parameter. As a result, injected commands are executed each time a backup is performed, with the malicious payload persisting until manually removed.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where the affected WordPress site is hosted.

Reproduction

To reproduce this vulnerability, first, update the 'wp_db_exclude_table' option with a command payload using an arbitrary option update vulnerability. Once the payload is stored, the command will be executed each time the WP Database Backup plugin creates a database backup, either manually or through the plugin's auto-backup feature.

Remediation

Users are advised to update the WP Database Backup plugin to version 5.2 or later.