post was originally published on this site
There is really a missing authorization sign in the WPvivid plugin that may result in the exposure of the database and just about all files of the WordPress site.
WPvivid Backup Plugin is referred to as “Migrate the copy of WP web site to a fresh host (a fresh domain), schedule backups, deliver backups to leading remote control storage. All in a single back-up&migration plugin”.
When we appeared through the code of the plugin, we pointed out that there are wp_ajax activities that not have the correct authorization check-in location and so are missing nonce checks which result in CSRF aswell.
The plugin provides 30,000+ active installations by February 28th, 2020. The problem has been set in edition 0.9.36.
The most significant registered wp_ajax action that will not possess an authorization check will be
It allows any authenticated consumer, irrespective of their user function, to add a fresh remote storage place and set it because the default backup area.
This means that next time the backup runs, it’ll utilize this backup location and upload the backup to the location.
For illustration, an evil person could create a S3 Bucket at AWS and established it as a default remote location on the website. Then the next time the back-up runs, the complete database and/or files will undoubtedly be uploaded to the S3 Bucket of the evil individual.
/contains/class-wpvivid.php, we start to see the following code: if(is_admin())
//Add ajax hook
is_admin() will also operate on /wp-admin/admin-ajax.php, which may be called by normal customers. The load_ajax_hook_for_admin function loads a lot of wp_ajax actions.
Surprisingly, every one of them except the
wp_ajax_wpvivid_add_remote action possess an authorization check. Nevertheless, this may not matter since there is not just a single nonce sign in the whole plugin which in turn causes CSRF problems in almost every action.
wp_ajax_wpvivid_add_remote action will the add_remote function, which determines the kind of remote location, checks its validity and adds it to the set of remote locations.
It furthermore checks if the
default attribute exists and if therefore, will adjust the scheduled back-up settings to improve the remote place to one that has been added. The Patch
The changes are available
here where we are able to see that a contact to ajax_check_safety has been put into multiple places. This perform checks the validity of the nonce token and checks an individual role. Timeline
28-02-2020 – Discovery of the vulnerability in WPvivid and discharge of a virtual patch to all or any WebARX customers. 28-02-2020 – Reported the problem to the programmer of the WPvivid plugin. 05-03-2020 – Asked for upgrade concerning the report. 17-03-2020 – New edition launched that fixes the vulnerability in WPvivid plugin.
Vulnerability In WPvivid Backup Plugin CAN RESULT IN Database Leak appeared first on WebARX.