CVE-2021-47979

WordPress Plugin Backup and Restore 1.0.3 Arbitrary File Deletion

CVSS 8.7 HIGHEPSS 0.4%CWE-22

WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Attackers can send POST requests to admin-ajax.php with crafted file_name and folder_name parameters to delete arbitrary files from the WordPress installation directory.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Miniorange · Backup and Restore

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/50503unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wordpress.org/plugins/backup-and-restore-for-wp/https://www.exploit-db.com/exploits/50503 https://www.miniorange.com/https://www.vulncheck.com/advisories/wordpress-plugin-backup-and-restore-arbitrary-file-deletion