A high-severity Local File Inclusion (LFI) vulnerability has been discovered in the "Bei Fen – WordPress Backup Plugin" for WordPress. This flaw allows an unauthenticated attacker to read sensitive files from the server hosting the website, such as configuration files containing database credentials. Successful exploitation could lead to a complete compromise of the affected website and its underlying server.

The vulnerability is a Local File Inclusion (LFI) flaw. It exists because the plugin fails to properly sanitize user-supplied input that is used to construct a file path. An unauthenticated attacker can manipulate this input, often a URL parameter, with directory traversal sequences (e.g., ../) to navigate the server's file system and force the application to include and display the contents of arbitrary files. This can expose sensitive information, such as the wp-config.php file, which contains database credentials, or system files like /etc/passwd.

This is a high-severity vulnerability with a CVSS score of 8.1, posing a significant risk to the organization. Exploitation can lead to a severe data breach, exposing confidential information including database credentials, API keys, and internal server configurations. An attacker could leverage this information to gain further unauthorized access, escalate privileges, and achieve a full system compromise. The potential consequences include theft of sensitive data, website defacement, operational disruption, and significant reputational damage.

Immediate Action:

• Immediately update the "Bei Fen – WordPress Backup Plugin" to the latest version provided by the vendor, which addresses this vulnerability.
• If the plugin is not essential for business operations, the recommended course of action is to disable and completely remove it to eliminate the associated attack surface.

Proactive Monitoring:

• Review web server access logs (e.g., Apache, Nginx) for requests containing directory traversal patterns such as ../, ..%2F, or attempts to access sensitive files like wp-config.php, .env, or /etc/passwd.
• Monitor for any unusual or unauthorized modifications to website files using a File Integrity Monitoring (FIM) solution.
• Observe network traffic for any suspicious outbound connections from the web server, which could indicate a post-exploitation command-and-control channel.

Compensating Controls:

• Implement a Web Application Firewall (WAF) with a robust ruleset to detect and block LFI and directory traversal attack patterns.
• Harden server file permissions to ensure the web server's user account has read access only to the files and directories necessary for the website to function, limiting the impact of a successful LFI exploit.
• Segment the network to isolate the web server from critical internal systems, preventing lateral movement in the event of a compromise.

Public Exploit Available: false

Given the high severity (CVSS 8.1) and the potential for complete system compromise, this vulnerability requires immediate attention. We strongly recommend organizations identify all instances of the "Bei Fen – WordPress Backup Plugin" within their environment and apply the vendor-supplied patches without delay. Although this CVE is not currently on the CISA KEV list, its critical nature makes it a high-priority target for remediation. If patching is not immediately feasible, implement the suggested compensating controls, such as a WAF, to mitigate the immediate risk.