Directory Traversal Vulnerability in WordPress Database Backup Plugin
CVE-2024-12850

4.9MEDIUM

Key Information:

Vendor: Wordpress
Status: Database Backup And Check Tables Automated With Scheduler 2024
Vendor: CVE Published:; 24 December 2024

Summary

The Database Backup and Check Tables Automated With Scheduler plugin for WordPress is susceptible to a directory traversal vulnerability due to flaws in the database_backup_ajax_download() function. This vulnerability permits authenticated users with administrator-level access and higher to traverse the directory structure of the server, thereby gaining access to potentially sensitive files. Attackers exploiting this vulnerability can read arbitrary file contents on the server, leading to severe security breaches. Website administrators using this plugin should apply necessary updates and implement security measures to mitigate these risks.

Affected Version(s)

Database Backup and check Tables Automated With Scheduler 2024 * <= 2.32

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

http://plugins.svn.wordpress.org/database-backup/tags/2.3...

https://plugins.trac.wordpress.org/changeset/3212315/data...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 24, 2024
Vulnerability Reserved
Dec 20, 2024

Credit

Dzmitry Sviatlichny