Product: WordPress plugin EZPZ One Click Backup
Vulnerability type: CWE-78 OS Command Injection
Vulnerable versions: 12.03.10 and some earlier versions
google Dork: intext:plugins/ezpz-one-click-backup/
credits: Henri Salo
Fixed version: N/A
Solution: Remove plugin
Vendor notification: Contact details N/A
WordPress plugins team notification: 2014-04-30
Contains a flaw that is triggered as input passed via the ‘cmd’ parameter in
ezpz-archive-cmd.php is not properly sanitized. With a specially crafted
request, an unauthenticated remote attacker can execute arbitrary commands
directly on the operating system.
< ? – php
Running zip page…<-/h2>
Steps to reproduce:
Plugin can’t be downloaded anymore by using WordPress admin panel or from links
below, but still used by many as per:
From the developer’s website 2012-04-27:
Do to recent changes in the Dropbox API, EZPZ One Click Backup can no longer
save files to Dropbox.
I apologize but due to various reasons there will be no new versions released or
further support for EZPZ OCB in the foreseeable future.
For a reliable, inexpensive alternative I recommend trying MyRepono and the
MyRepono Plugin. This service, while not entirely free (the fees are as low as
2¢ a day for a small site), works great on WordPress sites as large as 5GB,
maybe even larger. MyRepono gives a $5.00 credit when signing up for the service
so there is no cost to try it out.
Again, I apologize to all EZPZ One Click Backup users and wish you all the best.
Might be related: