Database Backup for WordPress Missing Authorization Vulnerability in Unauthenticated Database Backup Interception

A vulnerability exists in the Database Backup for WordPress plugin, specifically in versions through 2.5.2. The issue stems from the plugin's failure to properly restrict access to the 'wp_db_temp_dir' parameter, which determines where database backups are stored. This oversight allows unauthenticated attackers to send requests to 'wp-cron.php' with a manipulated 'wp_db_temp_dir' value that points to a publicly accessible directory, such as 'wp-content/uploads/'. If a scheduled backup is due, the attacker can intercept the backup file before it is deleted. The backup file's name is predictable, based on the database name, table prefix, date, and Swatch Internet Time, making it easy to capture. Exploiting this vulnerability could lead to the exposure of sensitive information, including database credentials, user password hashes, and personally identifiable information. The vulnerability requires that the site administrator has set up scheduled backups.

Impact

Exploitation of this vulnerability allows for unauthorized interception of database backup files, which can contain sensitive information such as database credentials, user password hashes, and personally identifiable information.

Reproduction

To reproduce this vulnerability, an unauthenticated user can send a request to 'wp-cron.php' with a 'wp_db_temp_dir' value that points to a publicly accessible directory. If a scheduled backup is due, the manipulated request will intercept the backup file before it is removed from the server.

Remediation

Users are advised to update the Database Backup for WordPress plugin to version 2.5.3 or later.