PT-2026-54953 · Databasebackup · Wp Database Backup – Unlimited Database & Files Backup By Backup For Wp
Irwan Kusuma
·
Publicado
2026-07-02
·
Atualizado
2026-07-02
·
CVE-2026-9834
CVSS v3.1
7.2
Alta
| Vetor | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 7.11 via the
wp db exclude table parameter. This is due to the direct concatenation of user-supplied $ POST['wp db exclude table'] values into the mysqldump shell command string in the mysqldump() function of includes/admin/class-wpdb-admin.php without wrapping them in escapeshellarg()—every other argument in the same command (DB USER, DB PASSWORD, host, filename, DB NAME) is properly escaped, making the exclude-table values the sole exception—and because the only applied filtering, sanitize text field() via recursive sanitize text field(), strips HTML tags but leaves shell metacharacters such as ;, |, `, and $() intact. This makes it possible for authenticated attackers, with administrator-level access and above, to execute arbitrary operating system commands on the server, potentially enabling full remote code execution. The injection is stored: malicious values submitted through the plugin settings form are persisted to the WordPress options table via update option('wp db exclude table') and later retrieved with get option() and passed unsanitized to shell exec() whenever a backup operation runs.Correção
Command Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Wp Database Backup – Unlimited Database & Files Backup By Backup For Wp