CVE-2023-5504 - How a Directory Traversal Flaw in BackWPup Can Take Down Other Sites

The BackWPup plugin is one of the most widely used WordPress backup plugins, trusted by hundreds of thousands of sites for safe, automated backups. But in late 2023, security researchers discovered a serious vulnerability: CVE-2023-5504. This bug exposes countless servers, letting attackers with just basic login access hijack backup locations—even targeting the root of other websites in a shared hosting setup. The implications are alarming: an attacker could make another site on the same server go down, simply by changing a setting in BackWPup.

In this article, we'll break down exactly what the flaw is, how it works, and demonstrate with code how a malicious user could exploit it. Plus, we’ll offer guidance to stay protected if you’re using—or have ever used—BackWPup.

What Is CVE-2023-5504?

CVE-2023-5504 is a directory traversal vulnerability in BackWPup, affecting all versions up to 4..1. With this bug, any user with permission to access the BackWPup admin interface (often Editor or lower) can set the backup folder to an arbitrary path—any writeable directory on the server.

Why is this bad? Because once the backup job runs, BackWPup will not just dump files there—it will also write both an index.php and a .htaccess file into that directory. These files are intended to secure the folder, but if written in the wrong place, they can break other websites hosted on the same server.

Official References

- WPScan Advisory
- NVD - CVE-2023-5504
- BackWPup Change Log

Who’s at Risk?

- Anyone on shared hosting. If your server hosts more than one website (typical with many web hosts), an attacker on one site could damage others.
- Anyone with low-trust WordPress users. Users like Editors, Contractors, or anyone given logistical plugin-management privileges can use this attack.

How Does The Exploit Work?

1. Log In: The attacker accesses the WordPress admin with a user role that can configure BackWPup (often Editor or Manager).
2. Change Backup Directory: They set the "Log File Folder" or "Backup Folder" to a path outside the current website—perhaps the root of another website under the same server account.
3. Run Backup: Start a backup job. BackWPup creates index.php and .htaccess in the target directory.

Visual Overview

[SiteA WordPress (attacker)]
   |
   |--- [BackWPup Plugin Configured]
         |
         |--- Backup folder set to: ../../SiteB/
                        |
                        |--- BackWPup runs
                              |
                              |--- Writes index.php, .htaccess to /SiteB
                                     |
                                     |--- SiteB now dysfunctional!

Suppose you have two sites on your server

- /home/account/public_html/siteA/ (running BackWPup)
- /home/account/public_html/siteB/ (innocent target)

Change Log File Folder to

../../siteB/

> The traversal ../../ escapes siteA’s directory, moving up to the shared root before “entering” siteB.

BackWPup writes these files

- /home/account/public_html/siteB/index.php
- /home/account/public_html/siteB/.htaccess

index.php

<?php
// Silence is golden.

.htaccess

Order deny,allow
Deny from all

Variants

You can target any writeable folder: logs folders, uploads folders, app data, etc.

Enforce directory isolation—never let scripts from one website write to another’s folder.

- Use open_basedir restrictions in PHP, limiting plugins to only write inside their own website’s directory.

Preventing Exploit in Code

The simple way BackWPup could have prevented this is by checking that the backup directory never leaves the website root. Here’s what a basic check could look like:

$backup_folder = $_POST['backup_folder'];
$real_base = realpath(ABSPATH); // WordPress site root
$real_target = realpath($backup_folder);

if (strpos($real_target, $real_base) !== ) {
    die('Backup directory must be inside this site');
}

But as of version 4..1, such checks were missing, and the plugin trusted whatever folder the user typed.

Do Attackers Use This In The Wild?

While there are no public mass-exploits reported (as of June 2024), directory traversal attacks are *old news* in developer circles. Shared hosting environments are especially at risk, and with BackWPup’s popularity, it’s likely only a matter of time before more attackers try this method.

Conclusion

CVE-2023-5504 is a stark reminder: even trusted WordPress plugins can hide devastating vulnerabilities. If you control multiple sites, or run WordPress on shared hosting, double-check your BackWPup version and configs *now*. One careless backup setting could take down a neighbor’s website—or yours.

→ Need more details?

- Here’s the official CVE advisory
- WPScan analysis

Stay safe, keep your plugins updated, and always think twice about what folders your code can touch!

Timeline

Published on: 01/11/2024 09:15:47 UTC
Last modified on: 01/17/2024 19:50:57 UTC