[Security issue!] BackupWordPress Plugin has a security issue!

The BackupWordpress plugin has a very very serious security issue!

https://wordpress.org/plugins/backupwordpress/

So if you installed it and set it up to backup your database regularly. The plugin, by default, will place your backups under the wp-content folder which is web accessible!

For example, after a couple of days, I’ve found my backups under this folder:

dev.vvirlan.com/wp-content/backupwordpress-0ab6842a44-backups/dev-vvirlan-com-1464628921-database-2016-06-27-23-13-08.zip

Out of curiosity, just tried to open this link in browser. And voila! I was able to download my database 😀

I was not able to change the destination directory, nor the permissions to it. Here’s a screenshot of the available settings:

Screenshot_2016-07-05_23-49-50

 

Leave a Reply

Your email address will not be published. Required fields are marked *