Project: Wordpress Plugin Backup Bank: WordPress Backup Plugin 4.0.21

Vulnerability: #8313608 (2018-06-07 22:46:49)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::file_put_contents
Risk _REQUEST
/wp-backup-bank/lib/action-library.php:177 (show/hide source)
157                    $update_email_setting_data = array();
158                    $update_email_setting_data["backup_to_email"] = sanitize_text_field($email_settings_form_data["ux_ddl_email_settings_enable_disable"]);
159                    $update_email_setting_data["email_address"] = sanitize_text_field($email_settings_form_data["ux_txt_email_address"]);
160                    $update_email_setting_data["cc_email"] = sanitize_text_field($email_settings_form_data["ux_txt_email_cc"]);
161                    $update_email_setting_data["bcc_email"] = sanitize_text_field($email_settings_form_data["ux_txt_email_bcc"]);
162                    $update_email_setting_data["email_subject"] = sanitize_text_field($email_settings_form_data["ux_txt_email_subject"]);
163                    $update_email_setting_data["email_message"] = htmlspecialchars_decode($email_settings_form_data["ux_txt_email_settings_message"]);
164  
165                    $email_setting_data = array();
166                    $where = array();
167                    $where["meta_id"] = isset($bb_email_settings_id) ? intval($bb_email_settings_id) : 0;
168                    $where["meta_key"] = "email_settings";
169                    $email_setting_data["meta_value"] = serialize($update_email_setting_data);
170                    $obj_dbHelper_backup_bank->updateCommand(backup_bank_meta(), $email_setting_data, $where);
171                 }
172                 break;
173  
174              case "backup_bank_manage_backups_module":
175                 if (wp_verify_nonce(isset($_REQUEST["_wp_nonce"]) ? $_REQUEST["_wp_nonce"] : "", "backup_bank_manage_backups")) {
176                    $backup_id = isset($_REQUEST["id"]) ? intval($_REQUEST["id"]) : "";
177 $restore_path = isset($_REQUEST["restore_path"]) ? sanitize_text_field($_REQUEST["restore_path"]) : "";
178 179 $bb_backup_data = $wpdb->get_row
Threat level 2

Callstack:

@INLINE::/wp-backup-bank/lib/action-library.php /wp-backup-bank/lib/action-library.php:713 (show/hide source)
693                              )
694                          );
695                          $google_drive_data_array = maybe_unserialize($google_drive_data);
696                          if (sanitize_text_field($google_drive_data_array["backup_to_google_drive"]) == "disable") {
697                             echo "600";
698                             die();
699                          }
700                          $obj_google_drive_backup_bank = new google_drive_backup_bank();
701                          $check = $obj_google_drive_backup_bank->google_drive_check_auth_token(sanitize_text_field($google_drive_data_array["client_id"]), sanitize_text_field($google_drive_data_array["secret_key"]), sanitize_text_field($google_drive_data_array["redirect_uri"]));
702                          if ($check == "601") {
703                             echo "601";
704                             die();
705                          }
706                          break;
707                    }
708                    $message = "{" . "\r\n";
709                    $message .= '"log": ' . '"Re-running Backup"' . ',' . "\r\n";
710                    $message .= '"perc": ' . $result . "\r\n";
711                    $message .= '"cloud": ' . '1' . "\r\n";
712                    $message .= "}";
713 file_put_contents($file_name, $message);
714 echo $file_url_path; 715 }