Product: WordPress plugin EZPZ One Click Backup
Vulnerability type: CWE-78 OS Command Injection
Vulnerable versions: 12.03.10 and some earlier versions
google Dork: intext:plugins/ezpz-one-click-backup/
credits: Henri Salo
Fixed version: N/A
Solution: Remove plugin
Vendor notification: Contact details N/A
WordPress plugins team notification: 2014-04-30
Risk: High
CVE: CVE-2014-3114

Vulnerability Details:

Contains a flaw that is triggered as input passed via the ‘cmd’ parameter in
ezpz-archive-cmd.php is not properly sanitized. With a specially crafted
request, an unauthenticated remote attacker can execute arbitrary commands
directly on the operating system.

http://plugins.svn.wordpress.org/ezpz-one-click-backup/tags/12.03.10/functions/ezpz-archive-cmd.php

< ? – php
if (isset($_GET[‘cmd’])){
exec(urldecode($_GET[‘cmd’]));
tmp_write(”
Running zip page…<-/h2>
“);
}
?>

Steps to reproduce:

http://example.com/wp-content/plugins/ezpz-one-click-backup/functions/ezpz-archive-cmd.php?cmd=uptime

Notes:

Plugin can’t be downloaded anymore by using WordPress admin panel or from links
below, but still used by many as per:
inurl:”/wp-content/plugins/ezpz-one-click-backup/”

https://wordpress.org/plugins/ezpz-one-click-backup/
http://downloads.wordpress.org/plugin/ezpz-one-click-backup.latest-stable.zip

From the developer’s website 2012-04-27:
“””
Do to recent changes in the Dropbox API, EZPZ One Click Backup can no longer
save files to Dropbox.

I apologize but due to various reasons there will be no new versions released or
further support for EZPZ OCB in the foreseeable future.

For a reliable, inexpensive alternative I recommend trying MyRepono and the
MyRepono Plugin. This service, while not entirely free (the fees are as low as
2¢ a day for a small site), works great on WordPress sites as large as 5GB,
maybe even larger. MyRepono gives a $5.00 credit when signing up for the service
so there is no cost to try it out.

Again, I apologize to all EZPZ One Click Backup users and wish you all the best.
“””

Might be related:
http://wordpress.org/support/topic/plugin-ezpz-one-click-backup-possible-security-flaw


Henri Salo

References:

http://seclists.org/oss-sec/2014/q2/221
http://wordpress.org/support/topic/plugin-ezpz-one-click-backup-possible-security-flaw
http://plugins.svn.wordpress.org/ezpz-one-click-backup/tags/12.03.10/functions/ezpz-archive-cmd.php