CVE-2021-24155
published 2021-04-05CVE-2021-24155: The WordPress Backup and Migrate Plugin – Backup Guard WordPress plugin before 1.6.0 did not ensure that the imported files are of the SGBP format and…
PriorityP268high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
84.11%
99.7th percentile
The WordPress Backup and Migrate Plugin – Backup Guard WordPress plugin before 1.6.0 did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| backup-guard | backup_guard | < 1.6.0 | 1.6.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to wp-admin/admin-ajax.php with the action parameter set to 'backup_guard_importBackup', which is the upload endpoint abused for arbitrary file upload. ↗
- →Alert on any non-.sgbp file (especially .php) uploaded to wp-content/uploads/backup-guard/. A PHP webshell placed there indicates successful exploitation. ↗
- →Detect HTTP GET requests to wp-content/uploads/backup-guard/*.php — a 200 response with text/html content-type indicates a live webshell. ↗
- →Detect the p0wny webshell by looking for the string 'p0wny@shell' in HTTP responses from the wp-content/uploads/backup-guard/ directory. ↗
- →Monitor for .htaccess modification in wp-content/uploads/backup-guard/ — attackers may append content to invalidate 'deny from all' and bypass Apache protections. ↗
- ·The .htaccess protection in wp-content/uploads/backup-guard/ is ineffective on Nginx servers, meaning the uploaded PHP webshell will be directly accessible without any bypass needed. ↗
- ·Version 1.6.0 only enforces the .sgbp extension by appending it — it does NOT verify file content. This means the fix is incomplete and can still be chained with LFI or Arbitrary File Renaming to achieve RCE. ↗
- ·Exploitation requires a high-privilege (admin+) authenticated WordPress account; unauthenticated exploitation is not possible with this vulnerability alone. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated)
exploitdb·2021-07-05·CVSS 7.2
CVE-2021-24155 [HIGH] Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated)
Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated)
---
# Exploit Title: Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated)
# Date 02.07.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://backup-guard.com/products/backup-wordpress
# Software Link: https://downloads.wordpress.org/plugin/backup.1.5.8.zip
# Version: Before 1.6.0
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-24155
# CWE: CWE-434
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24155/README.md
'''
Description:
The plugin did not ensure that the imported files are of the SGBP format and extension,
allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE.
Additional Info, and Byp
Metasploit
Wordpress Plugin Backup Guard - Authenticated Remote Code Execution
metasploit
Wordpress Plugin Backup Guard - Authenticated Remote Code Execution
Wordpress Plugin Backup Guard - Authenticated Remote Code Execution
This module allows an attacker with a privileged Wordpress account to launch a reverse shell due to an arbitrary file upload vulnerability in Wordpress plugin Backup Guard .php`
Nuclei
WordPress BackupGuard <1.6.0 - Authenticated Arbitrary File Upload
nuclei·CVSS 7.2
CVE-2021-24155 [HIGH] WordPress BackupGuard <1.6.0 - Authenticated Arbitrary File Upload
WordPress BackupGuard
-----------------------------204200867127808062083805313921--
- |
GET /wp-content/uploads/backup-guard/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains(header_4, "text/html")
- status_code_4 == 200
- contains(body_3, '{\"success\":1}')
- contains(body_4, 'CVE-2021-24155')
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- BG_BACKUP_STRINGS = {"nonce":"([0-9a-zA-Z]+)"};
internal: true
# digest: 490a0046304402202c759f1345308d45d132f19dd8f0948869b82b4ba44ae8def28ffa73b71d5d6b02204b62962b777860117c68a89693b109cb4c42e2b8ad59b073209837aebb7c2059:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
http://packetstormsecurity.com/files/163382/WordPress-Backup-Guard-1.5.8-Shell-Upload.htmlhttp://packetstormsecurity.com/files/163623/WordPress-Backup-Guard-Authenticated-Remote-Code-Execution.htmlhttps://wpscan.com/vulnerability/d442acac-4394-45e4-b6bb-adf4a40960fbhttp://packetstormsecurity.com/files/163382/WordPress-Backup-Guard-1.5.8-Shell-Upload.htmlhttp://packetstormsecurity.com/files/163623/WordPress-Backup-Guard-Authenticated-Remote-Code-Execution.htmlhttps://wpscan.com/vulnerability/d442acac-4394-45e4-b6bb-adf4a40960fb
2021-04-05
Published