BackItUp <= 2.1.0 - Missing Authorization

This research plan targets CVE-2025-68039, a Missing Authorization vulnerability in the WP BackItUp Community Edition plugin (<= 2.1.0). The vulnerability allows unauthenticated attackers to execute sensitive functions—likely related to notice dismissal or configuration changes—that should be restricted to administrators.

1. Vulnerability Summary

The vulnerability arises from the registration of AJAX handlers using the wp_ajax_nopriv_ hook without accompanying capability checks (current_user_can) or robust nonce verification. This exposes internal plugin logic to any unauthenticated visitor who can send a POST request to wp-admin/admin-ajax.php. Given the "Low Integrity" impact, the vulnerability likely allows the modification of specific plugin options or the suppression of security/backup notifications.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action (Inferred): wp_backitup_dismiss_notice or wpbi_dismiss_notice. (The agent must verify the exact string via grep).
• HTTP Method: POST
• Parameters: action, notice_id (or similar identifier), and potentially a nonce.
• Authentication: None required (unauthenticated).
• Preconditions: The plugin must be active.

3. Code Flow

1. Entry Point: WordPress receives a request to admin-ajax.php with an action parameter starting with wp_ajax_nopriv_.
2. Hook Registration: The plugin registers a callback in its main file or an AJAX include (e.g., inc/wpbi-ajax.php or wp-backitup.php).
   • Search Pattern: add_action(\s*['"]wp_ajax_nopriv_([^'"]+)['"]
3. Vulnerable Function: The callback function (e.g., wp_backitup_dismiss_notice()) is invoked.
4. Authorization Failure: The function performs a state-changing operation—such as update_option()—without checking if the current user has the manage_options capability.
5. Sink: The database state is modified (e.g., an option like wp_backitup_dismissed_notices is updated).

4. Nonce Acquisition Strategy

If the function calls check_ajax_referer() or wp_verify_nonce(), the agent must find where the nonce is generated and exposed.

1. Identify Nonce Action: Search for wp_create_nonce in the plugin code to find the action string associated with the vulnerable handler.
2. Locate Exposure: Search for wp_localize_script or wp_nonce_field to see where the nonce is printed to the HTML.
3. Check Shortcodes: Many backup plugins only load scripts on their admin pages or on pages containing a specific shortcode. Check for add_shortcode in the source.
4. Extraction:
   • Create a page with the identified shortcode: wp post create --post_type=page --post_status=publish --post_content='[wp_backitup_shortcode]'
   • Navigate to the page using browser_navigate.
   • Extract the nonce: browser_eval("window.wpbi_ajax_object?.nonce") (Replace wpbi_ajax_object with the actual localized variable name found in the source).

Note: If the check is entirely missing or if check_ajax_referer is called with die=false and the result is not checked, the nonce is unnecessary.

5. Exploitation Strategy

The goal is to demonstrate unauthorized modification of plugin state.

1. Discovery: Run grep -r "wp_ajax_nopriv" . to list all unauthenticated AJAX actions. Identify those that lack current_user_can('manage_options').
2. Request Construction: Use the http_request tool to send a POST request.
   • URL: {{BASE_URL}}/wp-admin/admin-ajax.php
   • Headers: Content-Type: application/x-www-form-urlencoded
   • Body: action=wp_backitup_dismiss_notice&notice_id=security_check_warning (adjust based on source analysis).
3. Response Analysis: A successful exploit will typically return a 200 OK with a JSON body {"success":true} or a string like 1.

6. Test Data Setup

1. Install and activate WP BackItUp Community Edition <= 2.1.0.
2. Identify a specific "notice" or "option" the plugin uses. For example, if the plugin has a "Review Us" notice, find its ID in the code.
3. If the exploit requires a nonce from a frontend page, create a post with the necessary shortcode:

   wp post create --post_title="Trigger" --post_content="[wp_backitup]" --post_status="publish"
   

7. Expected Results

• The admin-ajax.php request returns a success indicator.
• The WordPress database is updated unauthorized. Specifically, the wp_options table should show changes to the plugin's notice-tracking options.

8. Verification Steps

After sending the HTTP request, verify the impact using WP-CLI:

1. Check Options:

   wp option get wp_backitup_dismissed_notices
   

2. Compare State: Verify that the option now contains the notice_id sent in the exploit payload, confirming that an unauthenticated user successfully modified the site configuration.

9. Alternative Approaches

If wp_backitup_dismiss_notice is not the culprit:

• Search for update_option: Search the plugin for all occurrences of update_option and trace them backward to see if any are reachable via wp_ajax_nopriv.
• Check admin_init: Sometimes plugins hook functions to admin_init that do not check is_admin(). Since admin-ajax.php triggers admin_init, these functions can be called by anyone.
  • Search Pattern: add_action(\s*['"]admin_init['"] followed by a check for $_GET or $_POST parameters without capability checks.