[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwjv-3jl8pRvC4X3T5KDpxP3GgDy3MLqPkasf0Hqu894":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"source_links":41},"CVE-2026-6227","backwpup-authenticated-administrator-local-file-inclusion-via-blockname-parameter","BackWPup \u003C= 5.6.6 - Authenticated (Administrator+) Local File Inclusion via 'block_name' Parameter","The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `\u002Fwp-json\u002Fbackwpup\u002Fv1\u002Fgetblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to include arbitrary PHP files on the server via crafted traversal sequences (e.g., `....\u002F\u002F`), which can be leveraged to read sensitive files such as `wp-config.php` or achieve remote code execution in certain configurations. Administrators have the ability to grant individual users permission to handle backups, which may then allow lower-level users to exploit this vulnerability.","backwpup",null,"\u003C=5.6.6","5.6.7","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-04-13 14:13:09","2026-04-14 02:25:47",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F084e3f78-275b-4692-9cce-e17074f55cfb?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fbackwpup-admin.css","assets\u002Fjs\u002Fbackwpup-admin.js","assets\u002Fjs\u002Fbackwpup-admin.min.js","assets\u002Fjs\u002Fpage_edit_tab_cron.js","assets\u002Fjs\u002Fpage_edit_tab_cron.min.js","assets\u002Fjs\u002Fsettings-encryption.js","assets\u002Fjs\u002Fsettings-encryption.min.js","backwpup.php","researched",false,3,"This research plan outlines the steps to exploit a Local File Inclusion (LFI) vulnerability in the BackWPup plugin for WordPress.\n\n### 1. Vulnerability Summary\nThe BackWPup plugin (\u003C= 5.6.6) is vulnerable to Local File Inclusion via the `block_name` parameter in its REST API endpoint `\u002Fwp-json\u002Fbackwpup\u002Fv1\u002Fgetblock`. The vulnerability exists because the plugin attempts to sanitize the `block_name` using a non-recursive `str_replace()` on the `..\u002F` sequence. By using a crafted sequence like `....\u002F\u002F`, an attacker can bypass the filter (the filter reduces `....\u002F\u002F` to `..\u002F`). Since the endpoint includes the resulting path as a PHP file, an authenticated administrator (or user with backup permissions) can execute arbitrary PHP files or read files using PHP wrappers.\n\n### 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Fbackwpup\u002Fv1\u002Fgetblock`\n- **Method:** `POST`\n- **Vulnerable Parameter:** `block_name`\n- **Required Authentication:** Administrator (or users granted specific backup permissions).\n- **Nonce Requirement:** Required (`X-WP-Nonce` header). The nonce is tied to the `wp_rest` action for the REST API.\n- **Preconditions:** The plugin must be active. The attacker needs valid Administrator credentials.\n\n### 3. Code Flow\n1.  **Entry Point:** The REST route `backwpup\u002Fv1\u002Fgetblock` is registered (likely in `src\u002FInfrastructure\u002FRest\u002FRoute\u002FGetBlock.php`, inferred from plugin structure).\n2.  **Handler:** The callback function for this route retrieves the `block_name` and `block_type` parameters from the request.\n3.  **Sanitization:** The code performs a check like `$block_name = str_replace( '..\u002F', '', $block_name );`.\n4.  **File Construction:** The plugin constructs a file path: `$file = BACKWPUP_PLUGIN_DIR . '\u002Fsrc\u002FView\u002F' . $block_type . '\u002F' . $block_name . '.php';` (pathing inferred from `backwpup-admin.js` usage).\n5.  **Sink:** The plugin uses `include` or `require` on the constructed path.\n\n### 4. Nonce Acquisition Strategy\nThe REST API endpoint requires a standard WordPress REST nonce. This is exposed to the admin dashboard via the `backwpupApi` object.\n\n1.  **Access Dashboard:** Navigate to the BackWPup \"Jobs\" or \"Settings\" page in the WordPress admin area.\n2.  **Locate Variable:** The plugin localizes data into the `backwpupApi` JavaScript object.\n3.  **Extraction:**\n    - Use `browser_navigate` to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=backwpupjobs`.\n    - Use `browser_eval` to extract the nonce:\n      ```javascript\n      window.backwpupApi?.nonce\n      ```\n4.  **Endpoint Discovery:** Also extract the base REST URL if needed: `window.backwpupApi?.getblock`.\n\n### 5. Exploitation Strategy\nWe will attempt to include `wp-config.php` using a PHP filter wrapper to read its content in Base64 format, bypassing the limitation that `include` usually executes PHP rather than displaying source.\n\n**Step-by-Step Plan:**\n1.  **Login:** Authenticate as an administrator.\n2.  **Get Nonce:** Extract the `backwpupApi.nonce` using the strategy above.\n3.  **Craft Payload:** \n    - The target file is `wp-config.php`, typically located 3 levels up from the plugin's view directory (`wp-content\u002Fplugins\u002Fbackwpup\u002Fsrc\u002FView\u002F...`).\n    - Using `....\u002F\u002F` to bypass `str_replace('..\u002F', '', $input)`.\n    - Payload: `php:\u002F\u002Ffilter\u002Fconvert.base64-encode\u002Fresource=....\u002F\u002F....\u002F\u002F....\u002F\u002F....\u002F\u002Fwp-config` (The `.php` extension is likely appended by the plugin).\n4.  **Execute Request:**\n    ```bash\n    POST \u002Fwp-json\u002Fbackwpup\u002Fv1\u002Fgetblock\n    Header: X-WP-Nonce: [EXTRACTED_NONCE]\n    Header: Content-Type: application\u002Fx-www-form-urlencoded\n\n    block_name=php:\u002F\u002Ffilter\u002Fconvert.base64-encode\u002Fresource=....\u002F\u002F....\u002F\u002F....\u002F\u002F....\u002F\u002Fwp-config&block_type=component\n    ```\n5.  **Decode Output:** The response body will contain the Base64 encoded content of `wp-config.php`.\n\n### 6. Test Data Setup\n1.  **Plugin:** Install and activate BackWPup version 5.6.6.\n2.  **User:** Create an admin user (e.g., `admin`\u002F`password`).\n3.  **Target File:** Ensure `wp-config.php` exists in the standard location.\n\n### 7. Expected Results\n- The REST API should return a `200 OK` response.\n- The body should contain a Base64 string.\n- When decoded, the string should contain the PHP code of `wp-config.php`, including `DB_NAME`, `DB_USER`, and `DB_PASSWORD`.\n\n### 8. Verification Steps\n1.  **HTTP Check:** Verify the `http_request` response status and content.\n2.  **Base64 Decoding:** Decode the result and verify the presence of the `\u003C?php` tag and WordPress database constants.\n3.  **Comparison:** Use `wp-cli` to check the actual `wp-config.php` content for verification:\n    ```bash\n    cat \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-config.php\n    ```\n\n### 9. Alternative Approaches\n- **Direct Traversal:** If the PHP filter wrapper is blocked or fails, try direct traversal to a non-PHP file (if the plugin doesn't strictly append `.php`): `....\u002F\u002F....\u002F\u002F....\u002F\u002F....\u002F\u002F....\u002F\u002Fetc\u002Fpasswd`.\n- **RCE via Upload:** If the attacker can upload a file (e.g., via the \"Backups\" feature or media library), they can include that file using the LFI to gain Remote Code Execution.\n- **Log Poisoning:** If the server logs (like `access.log`) are reachable, poison the logs with PHP code and include the log file.\n- **Block Type Manipulation:** Try different `block_type` values if the directory structure differs (e.g., `component`, `children`, `alerts`). Based on `backwpup-admin.js`, `component` and `children` are valid `block_type` values.","The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the 'block_name' parameter in the '\u002Fwp-json\u002Fbackwpup\u002Fv1\u002Fgetblock' REST endpoint. This vulnerability stems from a non-recursive str_replace() filter that fails to properly sanitize path traversal sequences, allowing authenticated administrators (or users with backup permissions) to include arbitrary PHP files. Attackers can bypass the filter using crafted sequences like '....\u002F\u002F' to read sensitive files such as 'wp-config.php' or achieve remote code execution.","\u002F\u002F src\u002FInfrastructure\u002FRest\u002FRoute\u002FGetBlock.php\n\npublic function handle( \\WP_REST_Request $request ) {\n    $block_name = $request->get_param( 'block_name' );\n    $block_type = $request->get_param( 'block_type' );\n\n    \u002F\u002F Vulnerable: Non-recursive str_replace allows bypasses like ....\u002F\u002F\n    \u002F\u002F Line number inferred\n    $block_name = str_replace( '..\u002F', '', $block_name );\n\n    $file = BACKWPUP_PLUGIN_DIR . '\u002Fsrc\u002FView\u002F' . $block_type . '\u002F' . $block_name . '.php';\n\n    if ( file_exists( $file ) ) {\n        include $file;\n    }\n}","--- a\u002Fsrc\u002FInfrastructure\u002FRest\u002FRoute\u002FGetBlock.php\n+++ b\u002Fsrc\u002FInfrastructure\u002FRest\u002FRoute\u002FGetBlock.php\n@@ -15,1 +15,3 @@\n-        $block_name = str_replace( '..\u002F', '', $block_name );\n+        while ( strpos( $block_name, '..\u002F' ) !== false ) {\n+            $block_name = str_replace( '..\u002F', '', $block_name );\n+        }","To exploit this vulnerability, an attacker with Administrator-level access (or a user granted backup management permissions) must first obtain a valid REST API nonce. This nonce is typically exposed in the admin dashboard within the 'backwpupApi' JavaScript object. The attacker then sends a POST request to the '\u002Fwp-json\u002Fbackwpup\u002Fv1\u002Fgetblock' endpoint with the 'block_name' parameter set to a crafted path traversal payload. By using a sequence like '....\u002F\u002F', the attacker bypasses the plugin's non-recursive 'str_replace' filter, which reduces the sequence to '..\u002F'. This allows the attacker to traverse directories and include arbitrary PHP files. For example, using a PHP filter wrapper like 'php:\u002F\u002Ffilter\u002Fconvert.base64-encode\u002Fresource=....\u002F\u002F....\u002F\u002F....\u002F\u002F....\u002F\u002Fwp-config' allows the attacker to read the contents of 'wp-config.php' in Base64 format.","gemini-3-flash-preview","2026-04-16 15:59:31","2026-04-16 15:59:59",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.6.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbackwpup\u002Ftags\u002F5.6.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbackwpup.5.6.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbackwpup\u002Ftags\u002F5.6.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbackwpup.5.6.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbackwpup\u002Ftags"]