CVE-2021-24155 Overview
CVE-2021-24155 is an arbitrary file upload vulnerability in the WordPress Backup and Migrate Plugin – Backup Guard prior to version 1.6.0. The plugin failed to properly validate that imported backup files conform to the expected SGBP format and extension, allowing authenticated administrators to upload arbitrary files, including malicious PHP scripts. Successful exploitation leads to Remote Code Execution (RCE) on the underlying web server.
Critical Impact
Authenticated administrators can upload arbitrary PHP files through the backup import functionality, achieving full Remote Code Execution on the WordPress server. With exploit code publicly available, this vulnerability poses a significant risk to unpatched installations.
Affected Products
- Backup Guard WordPress Plugin versions prior to 1.6.0
- WordPress installations running vulnerable Backup Guard versions
- Web servers hosting affected WordPress instances
Discovery Timeline
- 2021-04-05 - CVE-2021-24155 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-24155
Vulnerability Analysis
The Backup Guard plugin provides WordPress administrators with backup and migration capabilities. A critical flaw exists in the file import functionality where the plugin fails to validate that uploaded backup files have the proper SGBP format and file extension before processing them. This insufficient input validation allows an attacker with administrator privileges to upload arbitrary files, including PHP scripts that can execute commands on the server.
While the attack requires administrative credentials, this can still be exploited in scenarios involving compromised admin accounts, social engineering attacks against site administrators, or in multi-tenant WordPress environments where untrusted parties have admin access to individual sites.
Root Cause
The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type). The backup import functionality does not implement proper validation checks to ensure that uploaded files match the expected SGBP backup format. The plugin processes any uploaded file regardless of its actual content type or extension, allowing PHP files to be uploaded to the server's web-accessible directory structure.
Attack Vector
An authenticated attacker with administrator privileges can exploit this vulnerability through the following attack flow:
- The attacker logs into the WordPress admin dashboard with administrator credentials
- Navigates to the Backup Guard plugin's import functionality
- Uploads a malicious PHP file (such as a web shell) disguised as a backup file
- The plugin accepts and stores the file without validating its format
- The attacker accesses the uploaded PHP file directly via the web server
- Arbitrary PHP code executes with the privileges of the web server process
The vulnerability mechanism involves bypassing file type validation in the backup import handler. When a file is submitted through the import function, the plugin should verify both the file extension and the internal file format match the expected SGBP backup structure. Instead, the plugin processes files without these checks, allowing attackers to upload executable PHP scripts that can be accessed via direct URL requests, resulting in code execution. Detailed technical exploitation information is available in the Packet Storm Shell Upload Exploit and Packet Storm Remote Code Execution Exploit advisories.
Detection Methods for CVE-2021-24155
Indicators of Compromise
- Unexpected PHP files in the Backup Guard plugin upload directories
- Web server access logs showing requests to unusual PHP files in plugin directories
- Suspicious POST requests to the Backup Guard import functionality with non-SGBP file content
- Evidence of web shell activity such as command execution or reverse shell connections
Detection Strategies
- Monitor WordPress plugin directories for newly created PHP files outside of normal update cycles
- Implement file integrity monitoring on the WordPress installation directories
- Analyze web server logs for HTTP requests to suspicious PHP files in the wp-content/plugins/backup-guard/ directory
- Deploy web application firewall (WAF) rules to detect file upload attacks targeting WordPress plugins
Monitoring Recommendations
- Enable audit logging for WordPress administrative actions, particularly plugin operations
- Configure SentinelOne agents to monitor for suspicious PHP file creation in web directories
- Set up alerts for outbound network connections initiated by the web server process
- Monitor for process spawning from the PHP interpreter that may indicate shell execution
How to Mitigate CVE-2021-24155
Immediate Actions Required
- Update Backup Guard plugin to version 1.6.0 or later immediately
- Review WordPress plugin directories for any unauthorized PHP files
- Audit WordPress admin user accounts and verify no unauthorized access has occurred
- Consider temporarily disabling the Backup Guard plugin if immediate patching is not possible
Patch Information
The vulnerability is addressed in Backup Guard version 1.6.0 which implements proper validation of imported backup files. Update the plugin through the WordPress admin dashboard or download the latest version from the WordPress plugin repository. After updating, verify the plugin version in the Plugins section of the WordPress admin area. Additional vulnerability details are available in the WPScan Vulnerability Report.
Workarounds
- Restrict WordPress administrator access to trusted users only until patching is complete
- Implement server-level file upload restrictions to block PHP files from being uploaded through the web application
- Configure the web server to deny execution of PHP files in the Backup Guard upload directories
- Use a Web Application Firewall to filter malicious file upload attempts
# Apache configuration to prevent PHP execution in plugin upload directory
# Add to .htaccess in wp-content/plugins/backup-guard/
<FilesMatch "\.php$">
Require all denied
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
