CVE-2024-8702
📋 TL;DR
The Backup Database WordPress plugin through version 4.9 contains a stored cross-site scripting (XSS) vulnerability in its settings. This allows authenticated administrators to inject malicious scripts that execute when other users view affected pages, even in WordPress multisite configurations where unfiltered_html is restricted. Only WordPress sites using vulnerable versions of this specific plugin are affected.
💻 Affected Systems
- Backup Database WordPress plugin
📦 What is this software?
Backup Database by Wpproking
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin privileges could inject malicious JavaScript that steals session cookies, redirects users to phishing sites, or performs actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Malicious admin or compromised admin account injects scripts that affect other privileged users, potentially leading to privilege escalation or data theft within the WordPress environment.
If Mitigated
With proper access controls and admin account security, impact is limited to authorized administrators intentionally misusing their privileges.
🎯 Exploit Status
Exploitation requires admin-level access to WordPress. The vulnerability is in plugin settings that should only be accessible to administrators.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.10 or later
Vendor Advisory: https://wpscan.com/vulnerability/2199ef66-25bd-4eb4-a675-d8b30f047847/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Backup Database' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 4.10+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Backup Database Plugin
allTemporarily disable the vulnerable plugin until patched version can be installed
wp plugin deactivate backup-database
Restrict Admin Access
allImplement strict access controls and monitoring for WordPress administrator accounts
🧯 If You Can't Patch
- Remove the Backup Database plugin entirely if updating is not possible
- Implement Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Backup Database → Version. If version is 4.9 or earlier, system is vulnerable.Check Version:
wp plugin get backup-database --field=versionVerify Fix Applied:
Verify Backup Database plugin version is 4.10 or later in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to Backup Database plugin settings
- Admin users making unexpected changes to plugin configurations
- JavaScript payloads in plugin setting fields
Network Indicators:
- Unexpected external script loads from WordPress admin pages
- Suspicious outbound connections from admin sessions
SIEM Query:
source="wordpress.log" AND ("backup-database" OR "backup database") AND ("update" OR "modif" OR "save")