JetBackup WordPress Plugin Path Traversal Vulnerability Leading to Arbitrary Directory Deletion

A path traversal vulnerability allowing arbitrary directory deletion has been identified in the JetBackup WordPress plugin, specifically in versions through 3.1.19.8. The issue arises from inadequate input validation on the 'fileName' parameter within the file upload handler. Although the plugin attempts to sanitize the 'fileName' parameter by removing HTML tags, it fails to block path traversal sequences such as '../'. Consequently, the unsanitized filename is directly appended in the 'Upload::getFileLocation()' method without proper validation, enabling authenticated administrators to delete critical WordPress directories, including 'wp-content/plugins', which disrupts site functionality.

Impact

Exploitation of this vulnerability allows authenticated administrators to delete arbitrary directories, potentially including essential WordPress directories such as 'wp-content/plugins', which could disable all installed plugins and cause significant disruption to the site.

Reproduction

To reproduce this vulnerability, an authenticated user with administrator privileges can upload a file through the JetBackup plugin's file upload feature. The upload process can be manipulated by including path traversal sequences in the 'fileName' parameter, bypassing the plugin's insufficient sanitization. Once the file is uploaded, the vulnerability can be exploited by triggering the deletion of the uploaded file, which will recursively remove the entire directory it was uploaded to, including any critical WordPress files or directories.

Remediation

Users are advised to update the JetBackup WordPress plugin to version 3.1.20.3 or later, where this vulnerability has been patched.