WP-Safety
CVE-2007-5800

BackUpWordPress <= 0.4.2b - Remote File Inclusion

criticalImproper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
0.4.3
Patched in
5927d
Time to patch

Description

Multiple PHP remote file inclusion vulnerabilities in the BackUpWordPress 0.4.2b and earlier plugin for WordPress allow remote attackers to execute arbitrary PHP code via a URL in the bkpwp_plugin_path parameter to (1) plugins/BackUp/Archive.php; and (2) Predicate.php, (3) Writer.php, (4) Reader.php, and other unspecified scripts under plugins/BackUp/Archive/.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<0.4.3
PublishedNovember 1, 2007
Last updatedJanuary 22, 2024
Affected pluginbackupwordpress
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/2250fa2d-82f5-4553-a52e-0c43d215aaba?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database