EDB-ID-47187: Wordpress Database Backup (5.2 and lower) Command Injection Vulnerability And Remote Code Execution (Metasploit)
About EDB-ID-47187: Wordpress Database Backup Command Injection Vulnerability (version 5.2 and lower)
There exists a command injection vulnerability in the Wordpress plugin
For the backup functionality, the plugin generates a mysqldump command to execute.
The user can choose specific tables to exclude from the backup by setting the
The names of the excluded tables are included in the mysqldump command unsanitized.
Arbitrary commands injected through the
Authentication is required to successfully exploit this vulnerability.
You can read more about this vulnerability in here: OS Command Injection Vulnerability Patched In WP Database Backup Plugin
EDB-ID-47187 Remote Code Execution (Metasploit Module)
- EDB-ID: 47187
- Author: Metasploit
- Type: Remote
- Platform: PHP
- Published: 2019-07-29
There exists a command injection vulnerability in the Wordpress plugin
wp-database-backup
for versions < 5.2.For the backup functionality, the plugin generates a mysqldump command to execute.
The user can choose specific tables to exclude from the backup by setting the
wp_db_exclude_table
parameter in a POST request to the wp-database-backup page.
The names of the excluded tables are included in the mysqldump command unsanitized.
Arbitrary commands injected through the
wp_db_exclude_table
parameter are executed each time the functionality for creating a new database backup are run.Authentication is required to successfully exploit this vulnerability.
You can read more about this vulnerability in here: OS Command Injection Vulnerability Patched In WP Database Backup Plugin
EDB-ID-47187 Remote Code Execution (Metasploit Module)
From Exploit Database
EDB-ID-47187: Wordpress Database Backup (5.2 and lower) Command Injection Vulnerability And Remote Code Execution (Metasploit)
Reviewed by 0x000216
on
Monday, July 29, 2019
Rating: 5