Vulnerability In WPvivid Backup Plugin Can Lead To Database Leak
By WebARX Team
March 24, 2020
There is a missing authorization check in the WPvivid plugin that can lead to the exposure of the database and all files of the WordPress site.
The WPvivid Backup Plugin is described as “Migrate a copy of WP site to a new host (a new domain), schedule backups, send backups to leading remote storage. All in one backup&migration plugin”.
When we looked through the code of this plugin, we noticed that there are wp_ajax actions that do not have the proper authorization check-in place and are missing nonce checks which lead to CSRF as well.
The plugin has 30,000+ active installations as of February 28th, 2020. The issue has been fixed in version 0.9.36.
The most critical registered wp_ajax action that does not have an authorization check would be wp_ajax_wpvivid_add_remote.
It allows any authenticated user, regardless of their user role, to add a new remote storage location and set it as the default backup location.
This means that the next time the backup runs, it will use this backup location and upload the backup to this location.
For example, an evil person could set up a S3 Bucket at AWS and set it as a default remote location on the site. Then next time the backup runs, the entire database and/or files will be uploaded to the S3 Bucket of the evil person.
In /includes/class-wpvivid.php, we see the following code:
is_admin() will also run on /wp-admin/admin-ajax.php, which can be called by regular users. The load_ajax_hook_for_admin function loads a bunch of wp_ajax actions.
Surprisingly, all of them except the wp_ajax_wpvivid_add_remote action have an authorization check. However, this might not matter because there is not a single nonce check in the entire plugin which causes CSRF issues in pretty much every action.
The wp_ajax_wpvivid_add_remote action is bound to the add_remote function, which determines the type of remote location, checks its validity and then adds it to the list of remote locations.
It also checks if the default attribute is present and if so, will adjust the scheduled backup settings to change the remote location to the one that is being added.
The changes can be found here where we can see that a call to ajax_check_security has been added to multiple places. This function checks the validity of the nonce token and checks the user role.
28-02-2020 – Discovery
of the vulnerability in WPvivid and
release of a
to all WebARX customers.