Patch now to protect against critical attacks

UPDATED A critical vulnerability in a popular WordPress plugin could allow attackers to take over a victim’s entire system, researchers have warned.

The issue was first reported back in April, when service provider Plugin Vulnerabilities publicly disclosed a configuration change flaw in WP Database Backup, a popular plugin with more than 70,000 downloads.

This vulnerability allowed unauthenticated attackers to change the recipient’s email address used for database backups, potentially allowing them to access sensitive information.

The flaw wasn’t reported to the developers of the plugin so that they could patch before it became public knowledge – but more on that later.

Some weeks after the bug’s initial disclosure, Wordfence has now revealed how the vulnerability was actually much more severe than was first thought, as it could allow an attacker to take complete control over a victim’s system.

The threat Intelligence team found that in unpatched versions of the plugin, an attacker is able to inject OS commands arbitrarily, which then execute when the software performs a database backup.

These commands continue to execute until they are manually removed, the team warned.

Mikey Veenstra, threat analyst at Wordfence, told The Daily Swig: “The original vulnerability allows certain settings within the plugin to be modified by an attacker. The example provided in its disclosure featured an attacker configuring the plugin to send database backup files to an email they control.

“Our discovery makes use of the same vector, configuration changes. One of the settings could be exploited in such a way that operating system commands would be executed when a new backup was generated, so an attacker had much greater access.

“They could install malicious PHP scripts, open meterpreters or other listeners, whatever they wanted.”

The plugin developers were alerted to the issue, and patch has now been released for version 5.2 of the WP Database Backup.

The issue of responsible disclosure was raised by the Wordfence team, which called Plugin Vulnerabilities out for allegedly not notifying developers in the first instance.

The importance of coordinated disclosure is a topic The Daily Swig previously explored with the CEO of bug bounty platform HackerOne, Adam Bacchus.

Veenstra added: “When security issues aren't disclosed properly, there's a great risk that malicious actors will take advantage of the new information before the developers are even aware of the vulnerability.

“Hackers monitor sources where these sorts of disclosures happen so they can act on them quickly, but plugin developers aren't staking them all out listening for mentions of their own code. They almost never hear about it until their users start complaining about getting hacked.”

This article has been updated to include comment from Wordfence.

RELATED WordPress 5.2 rolls out with fresh security improvements