CVE-2021-24155
📋 TL;DR
This vulnerability allows authenticated WordPress administrators to upload arbitrary files, including PHP files, through the Backup Guard plugin's import functionality. Attackers can achieve remote code execution by uploading malicious PHP files. Only WordPress sites with the vulnerable Backup Guard plugin installed and active are affected.
💻 Affected Systems
- WordPress Backup and Migrate Plugin – Backup Guard
📦 What is this software?
Backup Guard by Backup Guard
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to execute arbitrary code, steal data, install backdoors, pivot to other systems, and maintain persistent access.
Likely Case
Attackers gain shell access to the web server, allowing them to deface websites, steal sensitive data, install cryptocurrency miners, or use the server for further attacks.
If Mitigated
No impact if plugin is updated or removed, or if proper file upload validation and web application firewall rules are implemented.
🎯 Exploit Status
Multiple public exploit scripts available. Requires valid administrator credentials. Exploitation is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.0
Vendor Advisory: https://wpscan.com/vulnerability/d442acac-4394-45e4-b6bb-adf4a40960fb
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Backup Guard' plugin. 4. Click 'Update Now' if available. 5. If no update available, download version 1.6.0+ from WordPress repository. 6. Deactivate old version. 7. Upload and activate new version.
🔧 Temporary Workarounds
Disable Backup Guard Plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate backup-guard
Restrict File Uploads via .htaccess
linuxBlock PHP file uploads to the plugin's upload directory
<FilesMatch "\.(php|php5|php7|phtml|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove the Backup Guard plugin entirely from the WordPress installation
- Implement strict file upload validation at the web server level and monitor for suspicious upload attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Backup Guard version. If version is below 1.6.0, the site is vulnerable.Check Version:
wp plugin get backup-guard --field=versionVerify Fix Applied:
Confirm Backup Guard plugin version is 1.6.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /wp-content/uploads/backup-guard/ directory
- Multiple failed login attempts followed by successful admin login
- POST requests to /wp-admin/admin-ajax.php with action=sg_backup_guard_import
Network Indicators:
- HTTP POST requests with .php file uploads to backup guard endpoints
- Unusual outbound connections from web server after file upload
SIEM Query:
source="web_server_logs" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters.action="sg_backup_guard_import") AND (file_extension="php" OR file_extension="phtml")🔗 References
- http://packetstormsecurity.com/files/163382/WordPress-Backup-Guard-1.5.8-Shell-Upload.html
- http://packetstormsecurity.com/files/163623/WordPress-Backup-Guard-Authenticated-Remote-Code-Execution.html
- https://wpscan.com/vulnerability/d442acac-4394-45e4-b6bb-adf4a40960fb
- http://packetstormsecurity.com/files/163382/WordPress-Backup-Guard-1.5.8-Shell-Upload.html
- http://packetstormsecurity.com/files/163623/WordPress-Backup-Guard-Authenticated-Remote-Code-Execution.html
- https://wpscan.com/vulnerability/d442acac-4394-45e4-b6bb-adf4a40960fb
