Project: Wordpress Plugin Backup Bank: WordPress Backup Plugin 4.0.21

Vulnerability: #8313603 (2018-06-07 22:46:49)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::file_put_contents
Risk _REQUEST
/wp-backup-bank/lib/action-library.php:177 (show/hide source)
157                    $update_email_setting_data = array();
158                    $update_email_setting_data["backup_to_email"] = sanitize_text_field($email_settings_form_data["ux_ddl_email_settings_enable_disable"]);
159                    $update_email_setting_data["email_address"] = sanitize_text_field($email_settings_form_data["ux_txt_email_address"]);
160                    $update_email_setting_data["cc_email"] = sanitize_text_field($email_settings_form_data["ux_txt_email_cc"]);
161                    $update_email_setting_data["bcc_email"] = sanitize_text_field($email_settings_form_data["ux_txt_email_bcc"]);
162                    $update_email_setting_data["email_subject"] = sanitize_text_field($email_settings_form_data["ux_txt_email_subject"]);
163                    $update_email_setting_data["email_message"] = htmlspecialchars_decode($email_settings_form_data["ux_txt_email_settings_message"]);
164  
165                    $email_setting_data = array();
166                    $where = array();
167                    $where["meta_id"] = isset($bb_email_settings_id) ? intval($bb_email_settings_id) : 0;
168                    $where["meta_key"] = "email_settings";
169                    $email_setting_data["meta_value"] = serialize($update_email_setting_data);
170                    $obj_dbHelper_backup_bank->updateCommand(backup_bank_meta(), $email_setting_data, $where);
171                 }
172                 break;
173  
174              case "backup_bank_manage_backups_module":
175                 if (wp_verify_nonce(isset($_REQUEST["_wp_nonce"]) ? $_REQUEST["_wp_nonce"] : "", "backup_bank_manage_backups")) {
176                    $backup_id = isset($_REQUEST["id"]) ? intval($_REQUEST["id"]) : "";
177 $restore_path = isset($_REQUEST["restore_path"]) ? sanitize_text_field($_REQUEST["restore_path"]) : "";
178 179 $bb_backup_data = $wpdb->get_row
Threat level 2

Callstack:

@INLINE::/wp-backup-bank/lib/action-library.php /wp-backup-bank/lib/action-library.php:575 (show/hide source)
555  
556                       case "google_drive":
557                          $google_drive_data = $wpdb->get_var
558                              (
559                              $wpdb->prepare
560                                  (
561                                  "SELECT meta_value FROM " . backup_bank_meta() .
562                                  " WHERE meta_key=%s", "google_drive"
563                              )
564                          );
565                          $google_drive_data_array = maybe_unserialize($google_drive_data);
566                          $obj_google_drive_backup_bank = new google_drive_backup_bank();
567                          $check = $obj_google_drive_backup_bank->google_drive_check_auth_token(sanitize_text_field($google_drive_data_array["client_id"]), sanitize_text_field($google_drive_data_array["secret_key"]), sanitize_text_field($google_drive_data_array["redirect_uri"]));
568                          if ($check == "601") {
569                             echo "601";
570                             die();
571                          }
572                          break;
573                    }
574  
575 file_put_contents($file_name, "");
576 $message = "{" . "\r\n"; 577 $message .= '"log": ' . '"Starting Backup"' . ',' . "\r\n";