BackWPup Local File Inclusion Vulnerability via REST API Block Name Parameter

A local file inclusion vulnerability has been identified in the BackWPup plugin for WordPress, affecting all versions through 5.6.6. The issue arises in the '/wp-json/backwpup/v1/getblock' REST endpoint, where the 'block_name' parameter is improperly sanitized. This flaw allows authenticated attackers with Administrator-level access to include arbitrary PHP files from the server by exploiting path traversal sequences. Such exploitation could lead to reading sensitive files like 'wp-config.php' or, in certain configurations, allow remote code execution. Additionally, the vulnerability could be exploited by lower-level users if granted backup management permissions by an administrator.

Impact

Successful exploitation allows for local file inclusion, with the potential to read sensitive files or execute arbitrary code in certain configurations.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator privileges can send a POST request to the '/wp-json/backwpup/v1/getblock' endpoint. The request must include a 'block_name' parameter with a value that contains crafted traversal sequences, such as '....//', to bypass the inadequate sanitization and include a desired PHP file from the server.

Remediation

Users are advised to update the BackWPup plugin to version 5.6.7 or later, where this vulnerability has been patched.