CVE-2021-39327

MEDIUM NUCLEI

Wordpress BulletProof Security Backup Disclosure

Title source: metasploit

Description

The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1.

Exploits (2)

exploitdb WORKING POC

by Ron Jost · pythonwebappsphp

https://www.exploit-db.com/exploits/50382

View Code ZIP pw:eip

metasploit WORKING POC

by Ron Jost (Hacker5preme), h00die · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wp_bulletproofsecurity_backups.rb

View Code ZIP pw:eip

Nuclei Templates (1)

WordPress BulletProof Security 5.1 Information Disclosure

MEDIUMby geeknik

References (5)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/164420/WordPress-BulletProof-Security-5.1-Information-Disclosure.html

[Exploit, Third Party Advisory] https://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-39327

[Patch, Third Party Advisory] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2591118%40bulletproof-security&new=2591118%40bulletproof-security&sfp_email=&sfph_mail=

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/50382

[Third Party Advisory] https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39327

Scores

CVSS v3 5.3

EPSS 0.9094

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-200 CWE-459

Status published

Products (1)

ait-pro/bulletproof_security < 5.1

Published Sep 17, 2021

Tracked Since Feb 18, 2026