cbcvebase.
CVE-2023-7164
published 2024-04-08

CVE-2023-7164: The BackWPup WordPress plugin before 4.0.4 does not prevent Directory Listing in its temporary backup folder, allowing unauthenticated attackers to download…

PriorityP356high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.26%
80.8th percentile
The BackWPup WordPress plugin before 4.0.4 does not prevent Directory Listing in its temporary backup folder, allowing unauthenticated attackers to download backups of a site's database.

Affected

1 ranges
VendorProductVersion rangeFixed in
inpsydebackwpup< 4.0.44.0.4

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/uploads/
yara
regex: backwpup-[a-f0-9]{6}-(backups|temp)
yara
regex: [\w\-\.]+\.(tar\.gz|tar|zip|sql)
  • Probe for directory listing exposure at the BackWPup temporary/backup folder path matching pattern backwpup-[a-f0-9]{6}-(backups|temp) under /wp-content/uploads/. A 200 response containing 'Index of' and the folder pattern confirms vulnerability.
  • After identifying the exposed backup folder, check for downloadable backup files matching extensions .tar.gz, .tar, .zip, or .sql — their presence with HTTP 200 confirms unauthenticated backup file disclosure.
  • Use FOFA query 'body="/wp-content/plugins/backwpup/"' to identify internet-facing WordPress instances with the BackWPup plugin installed for targeted scanning.
  • The exploit requires no authentication — any unauthenticated HTTP GET to the exposed backup folder path is sufficient to trigger the vulnerability.
  • ·The vulnerability only affects BackWPup plugin versions strictly below 4.0.4; instances running 4.0.4 or later are not affected.
  • ·The exposed path is specifically the plugin's temporary backup folder under wp-content/uploads/, not the entire uploads directory; detection should focus on the backwpup-[a-f0-9]{6}-(backups|temp) subdirectory pattern.
  • ·The Nuclei template uses stop-at-first-match across four common WordPress base path variants (/wp-content/uploads/, /blog/wp-content/uploads/, /wordpress/wp-content/uploads/, /wp/wp-content/uploads/); scanners should account for non-standard WordPress install paths that may be missed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.