{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-5504", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2023-10-10T18:10:11.211Z", "datePublished": "2024-01-11T08:33:06.702Z", "dateUpdated": "2024-01-11T08:33:06.702Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-01-11T08:33:06.702Z"}, "affected": [{"vendor": "wp_media", "product": "BackWPup \u2013 WordPress Backup Plugin", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "4.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the Log File Folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server. Additionally, default settings will place an index.php and a .htaccess file into the chosen directory (unless already present) when the first backup job is run that are intended to prevent directory listing and file access. This means that an attacker could set the backup directory to the root of another site in a shared environment and thus disable that site."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e830fe1e-1171-46da-8ee7-0a6654153f18?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/backwpup/trunk/inc/class-page-settings.php?rev=2818974#L457"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3000176%40backwpup%2Ftrunk&old=2980789%40backwpup%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "baseScore": 8.7, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Marco Wotschka"}], "timeline": [{"time": "2023-10-10T00:00:00.000+00:00", "lang": "en", "value": "Discovered"}, {"time": "2023-11-22T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:inpsyde:backwpup:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "DABBA142-B0ED-4803-B99E-38DBE680AB91", "versionEndIncluding": "4.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the Log File Folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server. Additionally, default settings will place an index.php and a .htaccess file into the chosen directory (unless already present) when the first backup job is run that are intended to prevent directory listing and file access. This means that an attacker could set the backup directory to the root of another site in a shared environment and thus disable that site."}, {"lang": "es", "value": "El complemento BackWPup para WordPress es vulnerable a Directory Traversal en versiones hasta la 4.0.1 incluida a trav\u00e9s de la carpeta de archivos de registro. Esto permite a los atacantes autenticados almacenar copias de seguridad en carpetas arbitrarias en el servidor, siempre que el servidor pueda escribir en ellas. Adem\u00e1s, la configuraci\u00f3n predeterminada colocar\u00e1 un archivo index.php y .htaccess en el directorio elegido (a menos que ya est\u00e9 presente) cuando se ejecute el primer trabajo de copia de seguridad, cuyo objetivo es evitar la lista de directorios y el acceso a archivos. Esto significa que un atacante podr\u00eda establecer el directorio de respaldo en la ra\u00edz de otro sitio en un entorno compartido y as\u00ed desactivar ese sitio."}], "id": "CVE-2023-5504", "lastModified": "2024-01-17T19:50:57.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-01-11T09:15:47.553", "references": [{"source": "security@wordfence.com", "tags": ["Issue Tracking"], "url": "https://plugins.trac.wordpress.org/browser/backwpup/trunk/inc/class-page-settings.php?rev=2818974#L457"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3000176%40backwpup%2Ftrunk&old=2980789%40backwpup%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Product", "Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e830fe1e-1171-46da-8ee7-0a6654153f18?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}