CVE-2021-24174
📋 TL;DR
This vulnerability in the Database Backups WordPress plugin allows attackers to perform Cross-Site Request Forgery (CSRF) attacks, enabling them to trick logged-in users into executing unauthorized actions such as generating database backups, changing plugin settings, or deleting backups. It affects WordPress sites using the plugin version 1.2.2.6 or earlier, potentially compromising data integrity and confidentiality.
💻 Affected Systems
- WordPress Database Backups plugin
📦 What is this software?
Database Backups by Database Backups Project
⚠️ Risk & Real-World Impact
Worst Case
An attacker could exploit this to delete critical database backups, modify plugin settings to disrupt operations, or generate unauthorized backups to exfiltrate sensitive data, leading to data loss, service disruption, or privacy breaches.
Likely Case
Attackers may use CSRF to delete backups or change settings, causing minor to moderate operational issues, such as loss of backup data or configuration changes requiring manual fixes.
If Mitigated
With proper CSRF protections in place, such as nonce tokens, the risk is minimized, as requests would be validated, preventing unauthorized actions even if a user is tricked into clicking malicious links.
🎯 Exploit Status
Exploitation requires the victim to be logged into WordPress and tricked into visiting a malicious page; public proof-of-concept details are available in references like Packet Storm.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version 1.2.2.7 or later
Vendor Advisory: https://wpscan.com/vulnerability/350c3e9a-bcc2-486a-90e6-d1dc13ce1bd5
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Database Backups' plugin and click 'Update Now'. 4. Verify the plugin version is 1.2.2.7 or higher.
🔧 Temporary Workarounds
Implement CSRF Protection Manually
allAdd nonce tokens to plugin forms and actions to validate requests, though this requires custom code modifications and is not recommended over patching.
Not applicable; requires PHP code changes in plugin files.
🧯 If You Can't Patch
- Disable the Database Backups plugin if not essential to reduce attack surface.
- Implement web application firewalls (WAF) with CSRF protection rules to block malicious requests.
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in WordPress admin under Plugins > Installed Plugins; if version is 1.2.2.6 or earlier, it is vulnerable.Check Version:
wp plugin list --name='Database Backups' --field=version (if WP-CLI is installed)Verify Fix Applied:
After updating, confirm the plugin version is 1.2.2.7 or later in the same location.📡 Detection & Monitoring
Log Indicators:
- Unusual backup generation or deletion events in WordPress logs, especially from unexpected IP addresses or user sessions.
Network Indicators:
- HTTP POST requests to plugin endpoints (e.g., /wp-admin/admin.php?page=database-backups) without CSRF tokens, originating from external sources.
SIEM Query:
Example: source="wordpress.log" AND (event="backup_deleted" OR event="backup_created") AND user_agent="malicious"🔗 References
- http://packetstormsecurity.com/files/163091/WordPress-Database-Backups-1.2.2.6-Cross-Site-Request-Forgery.html
- https://wpscan.com/vulnerability/350c3e9a-bcc2-486a-90e6-d1dc13ce1bd5
- http://packetstormsecurity.com/files/163091/WordPress-Database-Backups-1.2.2.6-Cross-Site-Request-Forgery.html
- https://wpscan.com/vulnerability/350c3e9a-bcc2-486a-90e6-d1dc13ce1bd5
