Telugu News Daily: EDB-ID-47187: Wordpress Database Backup (5.2 And Lower) Command Injection Vulnerability And Remote Code Execution (Metasploit)

Friday, August 9, 2019

EDB-ID-47187: Wordpress Database Backup (5.2 And Lower) Command Injection Vulnerability And Remote Code Execution (Metasploit)

netsparker

About EDB-ID-47187: Wordpress Database Backup Command Injection Vulnerability (version 5.2 and lower)

EDB-ID: 47187
Author: Metasploit
Type: Remote
Platform: PHP
Published: 2019-07-29

EDB-ID-47187 Description
There exists a command injection vulnerability in the Wordpress plugin wp-database-backup for versions < 5.2.
For the backup functionality, the plugin generates a mysqldump command to execute.
The user can choose specific tables to exclude from the backup by setting the wp_db_exclude_table parameter in a POST request to the wp-database-backup page.
The names of the excluded tables are included in the mysqldump command unsanitized.
Arbitrary commands injected through the wp_db_exclude_table parameter are executed each time the functionality for creating a new database backup are run.
Authentication is required to successfully exploit this vulnerability.

You can read more about this vulnerability in here: OS Command Injection Vulnerability Patched In WP Database Backup Plugin

EDB-ID-47187 Remote Code Execution (Metasploit Module)

From Exploit Database

Telugu News Daily

Friday, August 9, 2019

EDB-ID-47187: Wordpress Database Backup (5.2 And Lower) Command Injection Vulnerability And Remote Code Execution (Metasploit)

No comments:

Post a Comment

About Me

Blog Archive