cbcvebase.
CVE-2021-24155
published 2021-04-05

CVE-2021-24155: The WordPress Backup and Migrate Plugin – Backup Guard WordPress plugin before 1.6.0 did not ensure that the imported files are of the SGBP format and…

PriorityP268high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
84.11%
99.7th percentile
The WordPress Backup and Migrate Plugin – Backup Guard WordPress plugin before 1.6.0 did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE.

Affected

1 ranges
VendorProductVersion rangeFixed in
backup-guardbackup_guard< 1.6.01.6.0

Detection & IOCsextracted from sources · hover to see the quote

urlwp-admin/admin-ajax.php?action=backup_guard_importBackup&token=
pathwp-content/uploads/backup-guard/
url/wp-content/uploads/backup-guard/{{randstr}}.php
  • Monitor POST requests to wp-admin/admin-ajax.php with the action parameter set to 'backup_guard_importBackup', which is the upload endpoint abused for arbitrary file upload.
  • Alert on any non-.sgbp file (especially .php) uploaded to wp-content/uploads/backup-guard/. A PHP webshell placed there indicates successful exploitation.
  • Detect HTTP GET requests to wp-content/uploads/backup-guard/*.php — a 200 response with text/html content-type indicates a live webshell.
  • Detect the p0wny webshell by looking for the string 'p0wny@shell' in HTTP responses from the wp-content/uploads/backup-guard/ directory.
  • Monitor for .htaccess modification in wp-content/uploads/backup-guard/ — attackers may append content to invalidate 'deny from all' and bypass Apache protections.
  • ·The .htaccess protection in wp-content/uploads/backup-guard/ is ineffective on Nginx servers, meaning the uploaded PHP webshell will be directly accessible without any bypass needed.
  • ·Version 1.6.0 only enforces the .sgbp extension by appending it — it does NOT verify file content. This means the fix is incomplete and can still be chained with LFI or Arbitrary File Renaming to achieve RCE.
  • ·Exploitation requires a high-privilege (admin+) authenticated WordPress account; unauthenticated exploitation is not possible with this vulnerability alone.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.