Executive Summary

The Keep Backup Daily plugin for WordPress, up to and including version 2.1.1, has a vulnerability known as Limited Path Traversal via the `kbd_open_upload_dir` AJAX action.

This vulnerability arises because the `kbd_path` parameter is only sanitized using WordPress's `sanitize_text_field()` function, which does not remove path traversal sequences like '../'.

As a result, authenticated users with Administrator-level access or higher can exploit this flaw to list the contents of arbitrary directories on the server outside the intended uploads directory.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with administrator privileges to view the contents of any directory on the server, not just the intended upload directory.

This can lead to exposure of sensitive files and information stored on the server, potentially aiding further attacks or data leakage.

Although the attacker must already have administrator-level access, this flaw expands their ability to access files beyond normal plugin restrictions.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'The vulnerability in the Keep Backup Daily WordPress plugin can be detected by checking for unauthorized directory listing attempts via the `kbd_open_upload_dir` AJAX action, which improperly sanitizes the `kbd_path` parameter allowing path traversal.'}, {'type': 'paragraph', 'content': "To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting the WordPress AJAX endpoint for suspicious `kbd_open_upload_dir` calls with path traversal sequences such as '../' in the `kbd_path` parameter."}, {'type': 'paragraph', 'content': 'Example commands to detect such activity include:'}, {'type': 'list_item', 'content': "Using grep on web server access logs to find suspicious AJAX requests: `grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'kbd_open_upload_dir' | grep '\\.\\./'`"}, {'type': 'list_item', 'content': "Using a network packet capture tool like tcpdump to filter HTTP POST requests containing `kbd_open_upload_dir`: `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'kbd_open_upload_dir'`"}, {'type': 'list_item', 'content': 'Checking WordPress plugin version installed to confirm if it is vulnerable (versions up to and including 2.1.1 are affected).'}, {'type': 'paragraph', 'content': 'Note that detection requires administrator-level access to the WordPress site since the vulnerability requires authenticated users with such privileges.'}] [1, 4]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the Keep Backup Daily plugin to version 2.1.3 or later, where the vulnerability is fixed by implementing strict directory path validation using `realpath()` and restricting access to allowed directories only.

If updating immediately is not possible, restrict administrator-level access to trusted users only, as exploitation requires authenticated users with administrator privileges.

Additionally, monitor and block suspicious AJAX requests targeting the `kbd_open_upload_dir` action with path traversal sequences.

Review and harden server and WordPress security settings, including limiting file system permissions and ensuring that backup directories are properly secured.

Consider disabling or removing the Keep Backup Daily plugin temporarily if it is not essential until a secure version is deployed.

Useful 0 Not Useful 0