CVE-2023-5505
📋 TL;DR
The BackWPup WordPress plugin up to version 4.0.1 contains a directory traversal vulnerability in the job-specific backup folder configuration. Authenticated attackers can store backups in arbitrary server directories, potentially disabling other websites in shared hosting environments by overwriting critical files. This affects WordPress sites using vulnerable BackWPup versions.
💻 Affected Systems
- BackWPup WordPress Plugin
📦 What is this software?
Backwpup by Inpsyde
⚠️ Risk & Real-World Impact
Worst Case
Attacker disables other websites on shared hosting by overwriting index.php and .htaccess files, potentially causing complete site unavailability and data loss.
Likely Case
Unauthorized backup storage in sensitive directories, potential website disruption in shared environments, and possible information disclosure through backup file placement.
If Mitigated
Limited to authenticated users only, with impact restricted to directories writable by the web server process.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is well-documented with public code references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.2
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3000176/backwpup/trunk/inc/class-destination-folder.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find BackWPup and click 'Update Now'. 4. Verify version is 4.0.2 or higher.
🔧 Temporary Workarounds
Disable BackWPup Plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate backwpup
Restrict Backup Directory Permissions
linuxSet strict permissions on web server directories to prevent unauthorized writes
chmod 755 /var/www/html
chown root:www-data /var/www/html
🧯 If You Can't Patch
- Remove BackWPup plugin entirely if patching is not possible
- Implement strict access controls and monitor for unauthorized backup directory changes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > BackWPup version. If version is 4.0.1 or lower, system is vulnerable.Check Version:
wp plugin get backwpup --field=versionVerify Fix Applied:
Verify BackWPup version is 4.0.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual backup directory paths in BackWPup logs
- Multiple failed attempts to set backup directories
- Changes to backup folder configuration by non-admin users
Network Indicators:
- Unusual HTTP POST requests to BackWPup configuration endpoints
SIEM Query:
source="wordpress.log" AND "backwpup" AND ("backup_dir" OR "job-specific" OR "directory traversal")🔗 References
- https://plugins.trac.wordpress.org/browser/backwpup/trunk/inc/class-page-editjob.php?rev=2818974#L29
- https://plugins.trac.wordpress.org/changeset/3000176/backwpup/trunk/inc/class-destination-folder.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2980789%40backwpup%2Ftrunk&old=2954541%40backwpup%2Ftrunk&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3000176%40backwpup&new=3000176%40backwpup&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/98085a23-0cb6-442a-a28a-cb5c2890b60d?source=cve
