How ZeroPath Works
Back to Blog

How a Simple WordPress Plugin Opened the Door: CVE-2015-10134 Arbitrary File Download Explained

A critical flaw in the Simple Backup plugin for WordPress (CVE-2015-10134) allowed attackers to download sensitive files like wp-config.php via path traversal. Here’s a deep technical analysis of the vulnerability, affected versions, and the patch that closed the door.
CVE Analysis

13 min read

ZeroPath Security Research

ZeroPath Security Research

2025-07-19

How a Simple WordPress Plugin Opened the Door: CVE-2015-10134 Arbitrary File Download Explained

How a Simple WordPress Plugin Opened the Door: CVE-2015-10134 Arbitrary File Download Explained

When a single plugin flaw can expose the keys to your kingdom, the stakes are high. In 2015, a vulnerability in the Simple Backup plugin for WordPress enabled attackers to download sensitive files like wp-config.php from any site running the affected versions. For thousands of sites, this meant the difference between business as usual and catastrophic compromise. Here, we break down the technical details, real-world impact, and the patch that finally closed the door on CVE-2015-10134.

Introduction

WordPress powers over 40% of the web, making its ecosystem of plugins a prime target for attackers. The Simple Backup plugin, designed to help site owners safeguard their data, ironically introduced a critical security risk. In versions up to and including 2.7.10, a flaw in the way backup files were handled allowed unauthenticated users to download any file on the server that the web process could read. The implications were severe: attackers could steal database credentials, authentication salts, and other sensitive configuration data, potentially leading to full site takeover.

About the Simple Backup Plugin: Simple Backup was a moderately popular WordPress plugin, with around 10,000 active installations at the time of disclosure. While not as ubiquitous as UpdraftPlus or BackWPup, it filled an important niche for small and medium-sized sites seeking easy backup solutions. Unfortunately, its security posture lagged behind industry leaders, and the project has since been abandoned, leaving any unpatched installations dangerously exposed.

Technical Information

The heart of CVE-2015-10134 lies in the download_backup_file function of Simple Backup versions up to and including 2.7.10. This function was intended to let authorized users download backup archives. However, it failed to properly validate user input and did not check whether the requester had the necessary permissions.

Vulnerability Mechanism

The vulnerable code used the following pattern:

function download_local_backup_file($filename) {
    $filename = ltrim($filename, ".\/"); // Inadequate sanitization
    $file_path = BACKUP_DIR . $filename;
    if (file_exists($file_path)) {
        header("Content-Type: application/octet-stream");
        readfile($file_path); // Arbitrary file read
    }
}

This approach is problematic for several reasons:

  • Insufficient Sanitization: The use of ltrim($filename, ".\/") only strips leading dots and slashes, but does not prevent directory traversal sequences like ../../, which can appear elsewhere in the string.
  • No Capability Checks: There was no verification that the user was authenticated or had the correct permissions to download backup files.
  • No File Type Validation: The function did not check that the requested file was a legitimate backup archive, allowing attackers to request any file readable by the web server.

Attack Vectors and Exploitation

An attacker could exploit this vulnerability by crafting a GET request to the plugin's download endpoint, supplying a path traversal payload in the download_backup_file parameter. For example:

GET /wp-admin/tools.php?page=backup_manager&download_backup_file=../../wp-config.php

This request would cause the plugin to serve up the site's wp-config.php file, exposing database credentials and other sensitive information. Exploitation required no authentication and could be performed remotely. Public exploit scripts and Metasploit modules made mass exploitation trivial (Exploit-DB 39883, Rapid7).

Root Cause

The root cause was a combination of improper input validation, lack of user authorization checks, and failure to restrict file types. The plugin trusted user-supplied input for file paths and did not adequately sanitize or validate this input before using it in file operations. This is a classic example of CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

Patch Information

The developers of the Simple Backup plugin addressed the arbitrary file download vulnerability in version 2.7.11 by implementing several key security measures:

  1. Capability Checks: They introduced checks to ensure that only users with appropriate permissions can access backup files. This prevents unauthorized users from exploiting the download functionality.

  2. Input Validation: The update includes stricter validation of user inputs, particularly the 'download_backup_file' parameter. This measure effectively mitigates path traversal attacks by sanitizing input to prevent directory traversal sequences.

  3. File Type Validation: The plugin now verifies the type of files being accessed, ensuring that only legitimate backup files can be downloaded. This prevents attackers from accessing sensitive files like 'wp-config.php'.

By implementing these security enhancements, version 2.7.11 effectively mitigates the risk of unauthorized file downloads and enhances the overall security of the Simple Backup plugin.

Patch Reference:

Affected Systems and Versions

The vulnerability specifically affects:

  • Product: Simple Backup plugin for WordPress
  • Version Range: Up to and including 2.7.10
  • Configuration: Any WordPress installation with the Simple Backup plugin ≤2.7.10 enabled is vulnerable, regardless of other configuration settings.

The issue is resolved in version 2.7.11 and later.

Vendor Security History

Simple Backup's security history is checkered. In addition to CVE-2015-10134, the plugin has been cited for other critical vulnerabilities, such as arbitrary file deletion. The vendor released a patch for CVE-2015-10134 within two weeks of disclosure, which is a reasonable response time. However, the plugin has not received updates since 2016, and the lack of ongoing maintenance means any new vulnerabilities are unlikely to be addressed. Compared to leading backup plugins like UpdraftPlus and BackWPup, Simple Backup's security maturity is lacking, and its abandonment leaves users at significant risk.

References

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]

Detect & fix
what others miss

Get startedBook a demo