Project: Wordpress Plugin Backup Bank: WordPress Backup Plugin 4.0.21

Vulnerability: #8313601 (2018-06-07 22:46:49)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::file_put_contents
Risk _REQUEST
/wp-backup-bank/lib/action-library.php:177 (show/hide source)
157                    $update_email_setting_data = array();
158                    $update_email_setting_data["backup_to_email"] = sanitize_text_field($email_settings_form_data["ux_ddl_email_settings_enable_disable"]);
159                    $update_email_setting_data["email_address"] = sanitize_text_field($email_settings_form_data["ux_txt_email_address"]);
160                    $update_email_setting_data["cc_email"] = sanitize_text_field($email_settings_form_data["ux_txt_email_cc"]);
161                    $update_email_setting_data["bcc_email"] = sanitize_text_field($email_settings_form_data["ux_txt_email_bcc"]);
162                    $update_email_setting_data["email_subject"] = sanitize_text_field($email_settings_form_data["ux_txt_email_subject"]);
163                    $update_email_setting_data["email_message"] = htmlspecialchars_decode($email_settings_form_data["ux_txt_email_settings_message"]);
164  
165                    $email_setting_data = array();
166                    $where = array();
167                    $where["meta_id"] = isset($bb_email_settings_id) ? intval($bb_email_settings_id) : 0;
168                    $where["meta_key"] = "email_settings";
169                    $email_setting_data["meta_value"] = serialize($update_email_setting_data);
170                    $obj_dbHelper_backup_bank->updateCommand(backup_bank_meta(), $email_setting_data, $where);
171                 }
172                 break;
173  
174              case "backup_bank_manage_backups_module":
175                 if (wp_verify_nonce(isset($_REQUEST["_wp_nonce"]) ? $_REQUEST["_wp_nonce"] : "", "backup_bank_manage_backups")) {
176                    $backup_id = isset($_REQUEST["id"]) ? intval($_REQUEST["id"]) : "";
177 $restore_path = isset($_REQUEST["restore_path"]) ? sanitize_text_field($_REQUEST["restore_path"]) : "";
178 179 $bb_backup_data = $wpdb->get_row
Threat level 2

Callstack:

@INLINE::/wp-backup-bank/lib/action-library.php /wp-backup-bank/lib/action-library.php:473 (show/hide source)
453                  break;
454  
455              case "backup_bank_restore_message":
456                 if (wp_verify_nonce(isset($_REQUEST["_wp_nonce"]) ? $_REQUEST["_wp_nonce"] : "", "backup_bank_restore_message")) {
457                    $restore_path = isset($_REQUEST["restore_path"]) ? sanitize_text_field($_REQUEST["restore_path"]) : "";
458                    $location = trailingslashit(str_replace(content_url(), WP_CONTENT_DIR, dirname(dirname($restore_path)))) . "restore/";
459                    !is_dir($location) ? wp_mkdir_p($location) : "";
460  
461                    $remove_ext = strstr(basename($restore_path), ".");
462                    $archive_name = str_replace($remove_ext, "", basename($restore_path));
463  
464                    $file_name = trailingslashit($location) . $archive_name . ".json";
465                    $file_url_path = trailingslashit(dirname(dirname($restore_path))) . "restore/" . $archive_name . ".json";
466  
467                    $result = 1;
468                    file_put_contents($file_name, "");
469                    $message = "{" . "\r\n";
470                    $message .= '"log": ' . '"Restoring Backup"' . ',' . "\r\n";
471                    $message .= '"perc": ' . $result . "\r\n";
472                    $message .= "}";
473 file_put_contents($file_name, $message);
474 475 echo $file_url_path;