CVE-2021-39327
published 2021-09-17CVE-2021-39327: The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible…
PriorityP357medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
72.33%
99.4th percentile
The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ait-pro | bulletproof_security | <= 5.1 | — |
| aitpro | bulletproof_security | 5.1 – 5.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP GET request to either of the two publicly accessible db_backup_log.txt paths returns HTTP 200 with Content-Type text/plain and body containing both 'BPS DB BACKUP LOG' and '==================' ↗
- →A non-empty db_backup_log.txt (i.e. backup functionality is active) will NOT match the regex pattern '^BPS\sDB\sBACKUP\sLOG\r\n==================\r\n==================\r\n\r\n$' — use this negative match to confirm actual data disclosure vs. an empty log ↗
- →After retrieving the db_backup_log.txt, parse it to locate disclosed database backup file paths, then download those backup files to extract all user credentials ↗
- ·The vulnerability is only exploitable if the BulletProof Security backup functionality has been used at least once; an empty log file (matching the all-empty regex) means no backup paths are disclosed ↗
- ·Two distinct file paths must be checked, as the log may reside in either location depending on plugin configuration ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure
exploitdb·2021-10-06·CVSS 5.3
CVE-2021-39327 [MEDIUM] Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure
Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure
---
# Exploit Title: Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure
# Date 04.10.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://forum.ait-pro.com/read-me-first/
# Software Link: https://downloads.wordpress.org/plugin/bulletproof-security.5.1.zip
# Version: <= 5.1
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-39327
# CWE: CWE-200
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-39327/README.md
'''
Description:
The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible
~/db_backup_log.txt file which grants attackers the full path of t
Metasploit
Wordpress BulletProof Security Backup Disclosure
metasploit
Wordpress BulletProof Security Backup Disclosure
Wordpress BulletProof Security Backup Disclosure
The Wordpress plugin BulletProof Security, versions <= 5.1, suffers from an information disclosure vulnerability, in that the db_backup_log.txt is publicly accessible. If the backup functionality is being utilized, this file will disclose where the backup files can be downloaded. After downloading the backup file, it will be parsed to grab all user credentials.
Nuclei
WordPress BulletProof Security 5.1 Information Disclosure
nuclei·CVSS 5.3
CVE-2021-39327 [MEDIUM] WordPress BulletProof Security 5.1 Information Disclosure
WordPress BulletProof Security 5.1 Information Disclosure
The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1.
Template:
id: CVE-2021-39327
info:
name: WordPress BulletProof Security 5.1 Information Disclosure
author: geeknik
severity: medium
description: The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup fil
No writeups or analysis indexed.
http://packetstormsecurity.com/files/164420/WordPress-BulletProof-Security-5.1-Information-Disclosure.htmlhttps://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-39327https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2591118%40bulletproof-security&new=2591118%40bulletproof-security&sfp_email=&sfph_mail=https://www.exploit-db.com/exploits/50382https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39327http://packetstormsecurity.com/files/164420/WordPress-BulletProof-Security-5.1-Information-Disclosure.htmlhttps://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-39327https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2591118%40bulletproof-security&new=2591118%40bulletproof-security&sfp_email=&sfph_mail=https://www.exploit-db.com/exploits/50382https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39327
2021-09-17
Published