OS Command Injection in WP-Database-Backup

On May 28th, a critical OS Command Injection vulnerability affecting the WP-Database-Backup plugin  was disclosed to the public by the Wordfence team. This is a very nasty bug which made it possible for a bad actor to gain full control of affected websites — with over 70,000 reported active installs.

Are You Affected?

On April 30th, version 5.2 was released, patching this vulnerability. If any of your websites use an older version, they’re vulnerable.

The bug can be exploited in two steps:

First, the attacker needs to store a malicious shell command in the wp_db_exclude_table option using an arbitrary option update vulnerability. When this is done, next the shell command saved on the site will be executed whenever the plugin creates a new database backup.

This can either happen by waiting for an administrator to manually create one, or if the Auto-Backup functionality is enabled, waiting until the next run occurs in order to gain access to the server.

Indicator of Compromise

If you see requests to either /wp-admin/admin-ajax.php?page=wp-database-backup or /wp-admin/admin-post.php?page=wp-database-backup, you site may have already been targeted by hackers.

Attacks in the Wild

We are not aware of attacks targeting this specific vulnerability yet. We will keep an eye open for those.

Update as Soon as Possible

If you’re using a vulnerable version of this plugin, update as soon as possible. In the event where you cannot do this, we strongly recommend leveraging the Sucuri website firewall or equivalent technology to have the vulnerability patched virtually.