CVE-2023-5504
📋 TL;DR
The BackWPup WordPress plugin up to version 4.0.1 contains a directory traversal vulnerability in the Log File Folder setting. Authenticated attackers can store backups in arbitrary server directories, potentially disabling other websites in shared hosting environments by overwriting critical files. This affects WordPress sites using vulnerable BackWPup versions.
💻 Affected Systems
- BackWPup WordPress Plugin
📦 What is this software?
Backwpup by Inpsyde
⚠️ Risk & Real-World Impact
Worst Case
Attacker disables other websites on shared hosting by overwriting index.php and .htaccess files, potentially causing complete service disruption and data loss.
Likely Case
Unauthorized backup storage in sensitive directories, potential website disruption if attacker targets own site's critical directories.
If Mitigated
Limited to backup storage in permitted directories with no ability to execute code or access sensitive data.
🎯 Exploit Status
Exploitation requires authenticated access to WordPress admin or user with plugin configuration permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.2 and later
Vendor Advisory: https://wordpress.org/plugins/backwpup/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find BackWPup and click 'Update Now'. 4. Verify version is 4.0.2 or higher.
🔧 Temporary Workarounds
Disable BackWPup Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate backwpup
Restrict Plugin Access
allLimit which users can access BackWPup settings
Use WordPress role management to restrict 'manage_options' capability
🧯 If You Can't Patch
- Remove BackWPup plugin entirely and use alternative backup solutions
- Implement strict file permission controls on web server directories
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → BackWPup → Version. If version is 4.0.1 or lower, system is vulnerable.Check Version:
wp plugin get backwpup --field=versionVerify Fix Applied:
Confirm BackWPup version is 4.0.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unauthorized directory path modifications in BackWPup settings
- Unexpected .htaccess or index.php file creation in non-standard locations
Network Indicators:
- Unusual backup file transfers to unexpected directories
SIEM Query:
source="wordpress" AND (event="plugin_settings_change" AND plugin="backwpup" AND setting="log_folder")🔗 References
- https://plugins.trac.wordpress.org/browser/backwpup/trunk/inc/class-page-settings.php?rev=2818974#L457
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3000176%40backwpup%2Ftrunk&old=2980789%40backwpup%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e830fe1e-1171-46da-8ee7-0a6654153f18?source=cve
- https://plugins.trac.wordpress.org/browser/backwpup/trunk/inc/class-page-settings.php?rev=2818974#L457
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3000176%40backwpup%2Ftrunk&old=2980789%40backwpup%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e830fe1e-1171-46da-8ee7-0a6654153f18?source=cve
