March 23

Vulnerability In WPvivid Back-up Plugin CAN RESULT IN Database Leak

WordPress Vulnerabilities

0  comments

This post was originally published on this site

There is really a missing authorization sign in the WPvivid plugin that may result in the exposure of the database and just about all files of the WordPress site.

The WPvivid Backup Plugin is referred to as “Migrate the copy of WP web site to a fresh host (a fresh domain), schedule backups, deliver backups to leading remote control storage. All in a single back-up&migration plugin”.

Vulnerability In WPvivid

When we appeared through the code of the plugin, we pointed out that there are wp_ajax activities that not have the correct authorization check-in location and so are missing nonce checks which result in CSRF aswell.

The plugin provides 30,000+ active installations by February 28th, 2020. The problem has been set in edition 0.9.36.

The Issue

The most significant registered wp_ajax action that will not possess an authorization check will be wp_ajax_wpvivid_add_remote.

It allows any authenticated consumer, irrespective of their user function, to add a fresh remote storage place and set it because the default backup area.

This means that next time the backup runs, it’ll utilize this backup location and upload the backup to the location.

For illustration, an evil person could create a S3 Bucket at AWS and established it as a default remote location on the website. Then the next time the back-up runs, the complete database and/or files will undoubtedly be uploaded to the S3 Bucket of the evil individual.

Code Analysis

In /contains/class-wpvivid.php, we start to see the following code:

if(is_admin())

   $this->define_admin_hook();
   //Add ajax hook
   $this->load_ajax_hook_for_admin();

is_admin() will also operate on /wp-admin/admin-ajax.php, which may be called by normal customers. The load_ajax_hook_for_admin function loads a lot of wp_ajax actions.

Surprisingly, every one of them except the wp_ajax_wpvivid_add_remote action possess an authorization check. Nevertheless, this may not matter since there is not just a single nonce sign in the whole plugin which in turn causes CSRF problems in almost every action.

The wp_ajax_wpvivid_add_remote action will the add_remote function, which determines the kind of remote location, checks its validity and adds it to the set of remote locations.

It furthermore checks if the default attribute exists and if therefore, will adjust the scheduled back-up settings to improve the remote place to one that has been added.

The Patch

The changes are available here where we are able to see that a contact to ajax_check_safety has been put into multiple places. This perform checks the validity of the nonce token and checks an individual role.

Timeline

28-02-2020 – Discovery of the vulnerability in WPvivid and discharge of a virtual patch to all or any WebARX customers.
28-02-2020 – Reported the problem to the programmer of the WPvivid plugin.
05-03-2020 – Asked for upgrade concerning the report.
17-03-2020 – New edition launched that fixes the vulnerability in WPvivid plugin.

The post Vulnerability In WPvivid Backup Plugin CAN RESULT IN Database Leak appeared first on WebARX.

About the author 

WP Maintain Support Protect

You may also like

Who Attacked SolarWinds and just why WordPress Users Have to know

Who Attacked SolarWinds and just why WordPress Users Have to know

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

WordPress Hardening: 18 Methods to Harden Security of one’s Website

WordPress Hardening: 18 Methods to Harden Security of one’s Website
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!