Project: Wordpress Plugin Backup Bank: WordPress Backup Plugin 4.0.21

Vulnerability: #8313598 (2018-06-07 22:46:47)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::unlink
Risk _REQUEST
/wp-backup-bank/lib/action-library.php:177 (show/hide source)
157                    $update_email_setting_data = array();
158                    $update_email_setting_data["backup_to_email"] = sanitize_text_field($email_settings_form_data["ux_ddl_email_settings_enable_disable"]);
159                    $update_email_setting_data["email_address"] = sanitize_text_field($email_settings_form_data["ux_txt_email_address"]);
160                    $update_email_setting_data["cc_email"] = sanitize_text_field($email_settings_form_data["ux_txt_email_cc"]);
161                    $update_email_setting_data["bcc_email"] = sanitize_text_field($email_settings_form_data["ux_txt_email_bcc"]);
162                    $update_email_setting_data["email_subject"] = sanitize_text_field($email_settings_form_data["ux_txt_email_subject"]);
163                    $update_email_setting_data["email_message"] = htmlspecialchars_decode($email_settings_form_data["ux_txt_email_settings_message"]);
164  
165                    $email_setting_data = array();
166                    $where = array();
167                    $where["meta_id"] = isset($bb_email_settings_id) ? intval($bb_email_settings_id) : 0;
168                    $where["meta_key"] = "email_settings";
169                    $email_setting_data["meta_value"] = serialize($update_email_setting_data);
170                    $obj_dbHelper_backup_bank->updateCommand(backup_bank_meta(), $email_setting_data, $where);
171                 }
172                 break;
173  
174              case "backup_bank_manage_backups_module":
175                 if (wp_verify_nonce(isset($_REQUEST["_wp_nonce"]) ? $_REQUEST["_wp_nonce"] : "", "backup_bank_manage_backups")) {
176                    $backup_id = isset($_REQUEST["id"]) ? intval($_REQUEST["id"]) : "";
177 $restore_path = isset($_REQUEST["restore_path"]) ? sanitize_text_field($_REQUEST["restore_path"]) : "";
178 179 $bb_backup_data = $wpdb->get_row
Threat level 1

Callstack:

backup_bank_restore::backup_bank_restore_backup_db /wp-backup-bank/lib/helper.php:2312 (show/hide source)
2292                       return $do_exec;
2293                    }
2294                 } else {
2295                    $this->backup_bank_log("Skipped SQL statement (unwanted type=$sql_type): $sql_line \r\n");
2296                 }
2297                 $sql_line = "";
2298                 $sql_type = -1;
2299              }
2300              $this->backup_bank_log("Leaving Maintenance Mode.\r\n");
2301              $this->maintenance_mode("disable");
2302  
2303              if ($restoring_table) {
2304                 $this->restored_table($restoring_table, $import_table_prefix, $this->old_table_prefix);
2305              }
2306              $time_taken = microtime(true) - $this->start_time;
2307              $this->backup_bank_log("Total <b>" . $this->line . "</b> Database queries has been Processed in <b>" . round($time_taken, 1) . " seconds</b>.\r\n");
2308              if ($is_plain) {
2309                 fclose($dbhandle);
2310              } elseif ($is_zip) {
2311                 fclose($dbhandle);
2312 unlink($working_dir_localpath);
2313 } else { 2314 gzclose($dbhandle);
@INLINE::/wp-backup-bank/lib/action-library.php /wp-backup-bank/lib/action-library.php:192 (show/hide source)
172                 break;
173  
174              case "backup_bank_manage_backups_module":
175                 if (wp_verify_nonce(isset($_REQUEST["_wp_nonce"]) ? $_REQUEST["_wp_nonce"] : "", "backup_bank_manage_backups")) {
176                    $backup_id = isset($_REQUEST["id"]) ? intval($_REQUEST["id"]) : "";
177                    $restore_path = isset($_REQUEST["restore_path"]) ? sanitize_text_field($_REQUEST["restore_path"]) : "";
178  
179                    $bb_backup_data = $wpdb->get_row
180                        (
181                        $wpdb->prepare
182                            (
183                            "SELECT meta_key,meta_value FROM " . backup_bank_meta() .
184                            " WHERE meta_id = %d", $backup_id
185                        )
186                    );
187                    $bb_backup_data_array = maybe_unserialize($bb_backup_data->meta_value);
188                    $file_name = basename($restore_path);
189                    $obj_backup_bank_restore = new backup_bank_restore($bb_backup_data_array, $restore_path);
190                    switch (sanitize_text_field($bb_backup_data_array["backup_type"])) {
191                       case "only_database":
192 $restore_ret = $obj_backup_bank_restore->backup_bank_restore_backup_db(untrailingslashit($bb_backup_data_array["folder_location"]) . "/" . $file_name);
193 break; 194