Two days ago, we discussed one vulnerability that was recently fixed in the WordPress backup plugin FastDup, while looking into why a hacker might be targeting the plugin. There was another vulnerability that was supposed to have been fixed. Patchstack claimed that there had been a sensitive data exposure via log file vulnerability in the plugin. As usual, they didn’t provide the information needed to check if the vulnerability was real and if it was real, it had been fixed. It appears either they got some basic details wrong about the vulnerability and it wasn’t fixed or what they were claiming was a vulnerability wasn’t a vulnerability, but there was a similar vulnerability really in the plugin. Confused? So are we. So let’s go through what we found.

The vulnerability was supposed to be fixed in version 2.1.8 of the plugin. The change made in that version was to modify an additional value added to filenames of files created by the plugin from the current time using the PHP function time() to a randomly generated value. That would make it harder to guess the names of files, but with either one, it isn’t something that would be easy to guess, unless you knew when a backup was made. The files should be blocked from being accessed directly, so the name shouldn’t even matter. [Read more]