Description
importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress does not require that authentication be enabled, which allows remote attackers to obtain sensitive information, or overwrite or delete files, via vectors involving a (1) direct request, (2) step=1 request, (3) step=2 or step=3 request, or (4) step=7 request.
References (2)
Core 2
Core References
Exploit x_refsource_misc
http://packetstormsecurity.com/files/120923
Exploit mailing-list
x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2013-03/0205.html
Scores
EPSS
0.0256
EPSS Percentile
83.1%
Details
CWE
CWE-287
Status
published
Products (5)
ithemes/backupbuddy
1.3.4
ithemes/backupbuddy
2.1.4
ithemes/backupbuddy
2.2.4
ithemes/backupbuddy
2.2.25
ithemes/backupbuddy
2.2.28
Published
Apr 02, 2013
Tracked Since
Feb 18, 2026