Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2021-24155

CVE-2021-24155: Backup Guard WordPress Plugin RCE Flaw

CVE-2021-24155 is a remote code execution vulnerability in Backup Guard WordPress plugin allowing admin users to upload arbitrary PHP files. This article covers the technical details, affected versions, security impact, and mitigation.

Updated:

CVE-2021-24155 Overview

CVE-2021-24155 is an arbitrary file upload vulnerability in the WordPress Backup and Migrate Plugin – Backup Guard before version 1.6.0. The plugin failed to validate that imported files matched the expected SGBP format and extension during the restore process. Authenticated administrators can upload arbitrary files, including PHP scripts, which the web server then executes. Successful exploitation results in remote code execution (RCE) on the underlying WordPress host. The flaw is classified under [CWE-434: Unrestricted Upload of File with Dangerous Type]. Public exploit code is available through Exploit-DB and Packet Storm, and the EPSS score of 92.823% places it in the 99.768 percentile for likelihood of exploitation.

Critical Impact

Authenticated admin-level attackers can upload PHP webshells through the Backup Guard import functionality, achieving full remote code execution on the WordPress server.

Affected Products

  • Backup Guard WordPress plugin versions prior to 1.6.0
  • WordPress installations using backup-guard:backup_guard for backup and migration
  • Confirmed exploitable on Backup Guard 1.5.8 per public proof-of-concept

Discovery Timeline

  • 2021-04-05 - CVE-2021-24155 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-24155

Vulnerability Analysis

The Backup Guard plugin provides a restore feature that accepts an uploaded archive and extracts its contents into the WordPress installation. The plugin is designed to handle proprietary .sgbp backup archives. However, the import handler does not enforce server-side validation of file type, extension, or magic bytes before processing the upload. An authenticated user with administrator privileges can submit a PHP file through the import workflow, and the file is written to a web-accessible directory under the WordPress document root. Requesting that file through the browser triggers PHP execution, granting the attacker code execution in the context of the web server user.

Root Cause

The root cause is missing file-type validation in the plugin's import handler ([CWE-434]). The code accepts the file uploaded for restoration and writes it to disk without checking whether the extension is sgbp or whether the content matches the expected Backup Guard archive structure. Because WordPress sites typically allow PHP execution within plugin and upload directories, any attacker-controlled .php file lands in an executable location.

Attack Vector

Exploitation requires valid administrator credentials, which can be obtained through phishing, credential stuffing, reused credentials, or compromise of a higher-privileged account. After authenticating, the attacker navigates to the Backup Guard plugin's import page and submits a crafted PHP file in place of a legitimate .sgbp archive. The file is stored under the plugin's working directory inside wp-content. The attacker then requests the uploaded PHP file directly to invoke the webshell, gaining command execution as the web server process. Public exploits documented by Packet Storm demonstrate this workflow against Backup Guard 1.5.8. Refer to the Packet Storm Authenticated RCE Exploit and the WPScan Vulnerability Report for technical details.

Detection Methods for CVE-2021-24155

Indicators of Compromise

  • New .php files appearing under wp-content/plugins/backup-guard/ or the plugin's backup storage directories after a restore action.
  • HTTP POST requests to Backup Guard import endpoints followed by GET requests to unfamiliar .php files in the plugin path.
  • Outbound network connections from the WordPress host to attacker infrastructure shortly after an admin import event.
  • WordPress audit log entries showing administrator-initiated imports outside of normal change windows.

Detection Strategies

  • Monitor the WordPress filesystem for creation of executable file types (.php, .phtml, .phar) inside plugin and upload directories.
  • Inspect web server access logs for sequential import POST requests and subsequent direct requests to newly created PHP files.
  • Correlate WordPress administrative session events with file write activity on the underlying host.

Monitoring Recommendations

  • Enable file integrity monitoring across wp-content/plugins/ and wp-content/uploads/ directories.
  • Forward web server, PHP-FPM, and WordPress audit logs to a centralized SIEM for correlation and retention.
  • Alert on php processes spawning shell interpreters such as sh, bash, or cmd.exe on WordPress hosts.

How to Mitigate CVE-2021-24155

Immediate Actions Required

  • Upgrade Backup Guard to version 1.6.0 or later on all WordPress sites that use the plugin.
  • Audit administrator accounts, rotate credentials, and enforce multi-factor authentication on wp-admin access.
  • Inspect wp-content/plugins/backup-guard/ and related upload paths for unexpected PHP files and remove any webshells found.
  • Review web server access logs for suspicious requests to PHP files inside the Backup Guard plugin directory.

Patch Information

The vendor addressed the issue in Backup Guard version 1.6.0 by enforcing validation of the SGBP format and extension on imported files. Administrators should update through the WordPress plugin manager or replace the plugin source with the patched release. Confirm the installed version reports 1.6.0 or higher after applying the update.

Workarounds

  • Deactivate and remove the Backup Guard plugin until the patched version can be deployed.
  • Restrict access to wp-admin by source IP using web server or WAF rules to reduce the credentialed attack surface.
  • Disable PHP execution within wp-content/uploads/ and plugin storage directories using web server configuration.
  • Deploy a web application firewall rule that blocks uploads with non-.sgbp extensions to the Backup Guard import endpoint.
bash
# Apache configuration to disable PHP execution in upload directories
<Directory "/var/www/html/wp-content/uploads">
    <FilesMatch "\.(php|phtml|phar)$">
        Require all denied
    </FilesMatch>
</Directory>

# Verify installed Backup Guard version via WP-CLI
wp plugin get backup-guard --field=version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne