Keep Backup Daily WordPress Plugin Limited Path Traversal Vulnerability

A limited path traversal vulnerability has been identified in the Keep Backup Daily plugin for WordPress, affecting all versions through 2.1.1. The issue arises in the 'kbd_open_upload_dir' AJAX action, where the 'kbd_path' parameter is inadequately validated. The parameter is only sanitized using 'sanitize_text_field()', which fails to remove path traversal sequences. This vulnerability allows authenticated attackers with Administrator-level access to list the contents of arbitrary directories on the server, outside the designated uploads directory.

Impact

Exploitation of this vulnerability could lead to unauthorized directory traversal, allowing attackers to access and list files in directories outside the intended upload path.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator privileges can send a request to the 'kbd_open_upload_dir' AJAX action. The 'kbd_path' parameter should be included in the request, using a path traversal sequence to navigate to a directory outside the uploads folder. Once the request is processed, the response will include the contents of the targeted directory, demonstrating the successful exploitation of the path traversal vulnerability.

Remediation

Users are advised to update the Keep Backup Daily WordPress plugin to version 2.1.3 or later, where this vulnerability has been patched.