Product: WordPress plugin EZPZ One Click Backup
Vulnerability type: CWE-78 OS Command Injection
Vulnerable versions: 12.03.10 and some earlier versions
google Dork: intext:plugins/ezpz-one-click-backup/
credits: Henri Salo
Fixed version: N/A
Solution: Remove plugin
Vendor notification: Contact details N/A
WordPress plugins team notification: 2014-04-30
Risk: High
CVE: CVE-2014-3114

Vulnerability Details:

Contains a flaw that is triggered as input passed via the ‘cmd’ parameter in
ezpz-archive-cmd.php is not properly sanitized. With a specially crafted
request, an unauthenticated remote attacker can execute arbitrary commands
directly on the operating system.

< ? – php
if (isset($_GET[‘cmd’])){
Running zip page…<-/h2>

Steps to reproduce:


Plugin can’t be downloaded anymore by using WordPress admin panel or from links
below, but still used by many as per:

From the developer’s website 2012-04-27:
Do to recent changes in the Dropbox API, EZPZ One Click Backup can no longer
save files to Dropbox.

I apologize but due to various reasons there will be no new versions released or
further support for EZPZ OCB in the foreseeable future.

For a reliable, inexpensive alternative I recommend trying MyRepono and the
MyRepono Plugin. This service, while not entirely free (the fees are as low as
2¢ a day for a small site), works great on WordPress sites as large as 5GB,
maybe even larger. MyRepono gives a $5.00 credit when signing up for the service
so there is no cost to try it out.

Again, I apologize to all EZPZ One Click Backup users and wish you all the best.

Might be related:

Henri Salo