A remote execution vulnerability has been discovered in WordPress backup utility BackWPup.
According to Sydney (Australia) company Sense of Security, which published the advisory along with a proof-of-concept, the vulnerability allows local or remote PHP files to be passed to a component of the utility.
“The input passed to the component wp_xml_export.php via the ‘wpabs’ variable allows the inclusion and execution of local or remote PHP files as long as a ‘_nonce’ value is known. The ‘_nonce’ value relies on a static constant which is not defined in the script meaning that it defaults to the value ‘822728c8d9’”, the advisory states.
Sense of Security says the vulnerability affects at least BackWPup Version 1.6.1 (the platform on which it has been tested), and users should upgrade to Version 1.7.1.