Project: Wordpress Plugin Backup Bank: WordPress Backup Plugin 4.0.21

Vulnerability: #8313605 (2018-06-07 22:46:49)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _REQUEST
/wp-backup-bank/lib/action-library.php:177 (show/hide source)
157                    $update_email_setting_data = array();
158                    $update_email_setting_data["backup_to_email"] = sanitize_text_field($email_settings_form_data["ux_ddl_email_settings_enable_disable"]);
159                    $update_email_setting_data["email_address"] = sanitize_text_field($email_settings_form_data["ux_txt_email_address"]);
160                    $update_email_setting_data["cc_email"] = sanitize_text_field($email_settings_form_data["ux_txt_email_cc"]);
161                    $update_email_setting_data["bcc_email"] = sanitize_text_field($email_settings_form_data["ux_txt_email_bcc"]);
162                    $update_email_setting_data["email_subject"] = sanitize_text_field($email_settings_form_data["ux_txt_email_subject"]);
163                    $update_email_setting_data["email_message"] = htmlspecialchars_decode($email_settings_form_data["ux_txt_email_settings_message"]);
164  
165                    $email_setting_data = array();
166                    $where = array();
167                    $where["meta_id"] = isset($bb_email_settings_id) ? intval($bb_email_settings_id) : 0;
168                    $where["meta_key"] = "email_settings";
169                    $email_setting_data["meta_value"] = serialize($update_email_setting_data);
170                    $obj_dbHelper_backup_bank->updateCommand(backup_bank_meta(), $email_setting_data, $where);
171                 }
172                 break;
173  
174              case "backup_bank_manage_backups_module":
175                 if (wp_verify_nonce(isset($_REQUEST["_wp_nonce"]) ? $_REQUEST["_wp_nonce"] : "", "backup_bank_manage_backups")) {
176                    $backup_id = isset($_REQUEST["id"]) ? intval($_REQUEST["id"]) : "";
177 $restore_path = isset($_REQUEST["restore_path"]) ? sanitize_text_field($_REQUEST["restore_path"]) : "";
178 179 $bb_backup_data = $wpdb->get_row
Threat level 2

Callstack:

@INLINE::/wp-backup-bank/lib/action-library.php /wp-backup-bank/lib/action-library.php:583 (show/hide source)
563                              )
564                          );
565                          $google_drive_data_array = maybe_unserialize($google_drive_data);
566                          $obj_google_drive_backup_bank = new google_drive_backup_bank();
567                          $check = $obj_google_drive_backup_bank->google_drive_check_auth_token(sanitize_text_field($google_drive_data_array["client_id"]), sanitize_text_field($google_drive_data_array["secret_key"]), sanitize_text_field($google_drive_data_array["redirect_uri"]));
568                          if ($check == "601") {
569                             echo "601";
570                             die();
571                          }
572                          break;
573                    }
574  
575                    file_put_contents($file_name, "");
576                    $message = "{" . "\r\n";
577                    $message .= '"log": ' . '"Starting Backup"' . ',' . "\r\n";
578                    $message .= '"perc": ' . $result . ',' . "\r\n";
579                    $message .= '"status": ' . '"Starting"' . ',' . "\r\n";
580                    $message .= '"cloud": ' . '1' . "\r\n";
581                    $message .= "}";
582                    file_put_contents($file_name, $message);
583 echo untrailingslashit($file_url_path);
584 } 585 break;