CVE-2021-39327 Overview
The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file. This vulnerability grants attackers the full path of the site, in addition to the path of database backup files. The flaw affects versions up to, and including, 5.1 of the plugin.
Critical Impact
Attackers can obtain sensitive server path information and database backup file locations, potentially enabling further exploitation or unauthorized access to backup data.
Affected Products
- BulletProof Security WordPress Plugin versions up to and including 5.1
- ait-pro bulletproof_security
Discovery Timeline
- 2021-09-17 - CVE CVE-2021-39327 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-39327
Vulnerability Analysis
This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-459 (Incomplete Cleanup). The BulletProof Security plugin exposes a log file (db_backup_log.txt) that is publicly accessible without authentication. This log file contains sensitive information including the full server path of the WordPress installation and paths to database backup files.
The exposure of this information creates a significant reconnaissance opportunity for attackers. Knowledge of the server's file system structure can be leveraged for subsequent attacks, including path traversal exploits or direct access to database backups if directory listing or other misconfigurations exist.
Root Cause
The root cause of this vulnerability is improper access control on the db_backup_log.txt file. The plugin stores sensitive path information in a file that is accessible via HTTP request without any authentication or authorization checks. This represents a failure to implement the principle of least privilege and incomplete cleanup of sensitive operational data.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can simply make an HTTP request to the known location of the db_backup_log.txt file to retrieve the sensitive information. The attack process involves:
- Identifying WordPress sites running the vulnerable BulletProof Security plugin
- Requesting the publicly accessible db_backup_log.txt file
- Parsing the response to extract server paths and database backup file locations
- Using the disclosed information to plan further attacks or attempt to access backup files
Exploit code for this vulnerability is publicly available through Exploit-DB #50382 and the GitHub Exploit Repository.
Detection Methods for CVE-2021-39327
Indicators of Compromise
- HTTP requests to db_backup_log.txt in the BulletProof Security plugin directory
- Unusual web server log entries showing access to plugin log files from external IPs
- Multiple sequential requests attempting to access various WordPress plugin directories
Detection Strategies
- Monitor web server access logs for requests targeting db_backup_log.txt or similar sensitive log files
- Implement Web Application Firewall (WAF) rules to block direct access to .txt files within WordPress plugin directories
- Configure IDS/IPS signatures to detect reconnaissance patterns against WordPress installations
Monitoring Recommendations
- Enable detailed logging for HTTP requests to the wp-content/plugins/ directory tree
- Set up alerts for access attempts to sensitive file extensions within plugin directories
- Review web server logs periodically for suspicious access patterns targeting backup or log files
How to Mitigate CVE-2021-39327
Immediate Actions Required
- Update BulletProof Security plugin to a version newer than 5.1 immediately
- Review web server access logs for any prior exploitation attempts
- Verify that database backup files have not been accessed by unauthorized parties
- Consider rotating database credentials if backup file exposure is suspected
Patch Information
The vendor has released a patch addressing this vulnerability. The fix can be reviewed in the WordPress Plugin Changeset. Users should update to the latest version of BulletProof Security through the WordPress plugin repository. Additional technical details are available in the Wordfence Vulnerability Advisory.
Workarounds
- Block direct HTTP access to .txt files within the WordPress plugins directory using .htaccess or web server configuration
- Implement server-side access controls to restrict access to the BulletProof Security plugin directory
- Move database backups to a location outside the web root and ensure they are not accessible via HTTP
# Apache .htaccess configuration to block access to sensitive log files
<FilesMatch "\.txt$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Alternative: Block specific file
<Files "db_backup_log.txt">
Order Allow,Deny
Deny from all
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
