OS Command Injection in WP-Database-Backup

Firo Solutions
Nov 3 · 1 min read

OS Command Injection in WP-Database-Backup

This vulnerability affects the wordpress-database Backup plugin and allows malicious crafted payload to be stored in wordpress “wp_db_exclude_table” to be executed on the remote host

Vulnerable code:

$wp_db_exclude_table = array();
$wp_db_exclude_table = get_option('wp_db_exclude_table');
if (!empty($wp_db_exclude_table)) {
foreach ($wp_db_exclude_table as $wp_db_exclude_table) {
$cmd .= ' --ignore-table=' . DB_NAME . '.' . $wp_db_exclude_table;
// error_log(DB_NAME.'.'.$wp_db_exclude_table);
}
}

The code executes the program mysqldump with the argument “–ignore-table=” and appends each entry in the wp_db_exclude_table list. This leads to a enabling a malicious third party where to inject a payload in to the list such as a netcat shell or a malicious download and execute wget request

Recommendation:
If you run wordpress with this plugin we suggest you update your wordpress platform asap

External Links:
Sucuri
Firo

https://blog.firosolutions.com/exploits/wpdbbackup/

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade