CVE-2023-5504 in BackWPup Plugininfo

Summary

by MITRE • 01/11/2024

The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the Log File Folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server. Additionally, default settings will place an index.php and a .htaccess file into the chosen directory (unless already present) when the first backup job is run that are intended to prevent directory listing and file access. This means that an attacker could set the backup directory to the root of another site in a shared environment and thus disable that site.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/11/2026

The vulnerability identified as CVE-2023-5504 affects the BackWPup plugin for WordPress, a widely used backup solution that has been found to contain a critical directory traversal flaw. This security weakness exists in versions up to and including 4.0.1, making it a significant concern for WordPress administrators who rely on this plugin for their site protection. The vulnerability specifically targets the Log File Folder functionality, which is a core component of the plugin's backup operations and represents a direct threat to server security and data integrity.

The technical exploitation of this vulnerability stems from improper input validation within the plugin's directory handling mechanisms. Authenticated attackers who have access to the WordPress admin interface can manipulate the backup directory configuration to store backup files in arbitrary locations on the server filesystem. This occurs because the plugin fails to properly sanitize user-supplied directory paths before using them in file operations. The vulnerability is particularly dangerous because it allows attackers to write files to directories that should normally be restricted, effectively bypassing normal filesystem access controls. According to CWE-22, this represents a classic directory traversal vulnerability where insufficient input validation permits unauthorized access to restricted directories.

The operational impact of this vulnerability extends far beyond simple data exposure, as it can be leveraged to cause significant damage to web server environments. When an attacker successfully exploits this vulnerability, they can set the backup directory to the root of another website hosted on the same server in shared hosting environments. This action triggers the automatic creation of index.php and .htaccess files in the chosen directory, which are designed to prevent directory listing and unauthorized file access. However, when these files are placed in another site's root directory, they effectively disable that site's functionality by preventing directory browsing and potentially blocking access to critical application files. The attacker essentially gains the ability to compromise not just their own site but potentially other sites hosted on the same server, creating a serious multi-tenant security risk.

This vulnerability aligns with several ATT&CK techniques including T1059.001 for command and script interpreter and T1566.001 for phishing with malicious attachments, though the primary threat vector is through the WordPress admin interface. The attack chain typically begins with an authenticated user gaining access to a compromised WordPress account, either through credential theft, social engineering, or other means. The vulnerability's exploitation requires administrative privileges within WordPress, which makes it less likely to be exploited by casual attackers but still poses a significant risk in environments where admin credentials may be compromised. Organizations should note that this vulnerability demonstrates the critical importance of proper input validation and the principle of least privilege in plugin development, as the plugin should never allow users to write files to arbitrary locations without proper authorization checks.

The recommended mitigations for this vulnerability include immediate patching to version 4.0.2 or later, which contains the necessary security fixes. Administrators should also implement additional security measures such as restricting administrative access to only trusted users, implementing strong authentication controls, and monitoring backup directory configurations for unauthorized changes. Network-level protections such as web application firewalls can help detect and prevent exploitation attempts, while regular security audits of installed plugins should be conducted to identify other potential vulnerabilities. The vulnerability highlights the need for comprehensive security testing of WordPress plugins, particularly those that interact with the filesystem, and emphasizes the importance of following security best practices such as input validation, privilege separation, and proper file access controls. Organizations should also consider implementing automated monitoring solutions that can detect unusual file creation patterns or directory changes that might indicate exploitation attempts.

Reservation

10/10/2023

Disclosure

01/11/2024

Moderation

accepted

CPE

ready

EPSS

0.00926

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!