CVE-2016-20076
Description
Unauthenticated attackers can delete arbitrary files and download sensitive files via directory traversal in WordPress Simple-Backup 2.7.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated attackers can delete arbitrary files and download sensitive files via directory traversal in WordPress Simple-Backup 2.7.11.
Vulnerability
WordPress Simple-Backup version 2.7.11 contains multiple vulnerabilities in tools.php. The parameters delete_backup_file and download_backup_file lack input validation, allowing directory traversal attacks. This affects both the arbitrary file deletion and arbitrary file download functionalities. No authentication is required, and the default plugin configuration is vulnerable [1][2].
Exploitation
An unauthenticated attacker can send crafted HTTP GET requests to /wp-admin/tools.php?page=backup_manager with manipulated delete_backup_file or download_backup_file parameters. For example, to delete a file, an attacker uses delete_backup_file=../target.txt; to download sensitive files, they use download_backup_file=../wp-config.php. The attack does not require any special network position beyond standard web access, and no user interaction is needed [1].
Impact
Successful exploitation allows an unauthenticated attacker to delete arbitrary files on the web server (e.g., .htaccess), potentially exposing backup directories. It also enables downloading sensitive files such as wp-config.php and database dumps, leading to full disclosure of WordPress configuration, credentials, and database contents. This can result in complete compromise of the WordPress site [1][2].
Mitigation
No official patch was released by the vendor as of the disclosure date (2016-06-02). As of the vulnerability publication date, the plugin remains unpatched. Sites using Simple-Backup 2.7.11 are urged to immediately disable and remove the plugin, or implement web application firewall (WAF) rules to block directory traversal patterns in the delete_backup_file and download_backup_file parameters [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 2.7.11+ 1 more
- (no CPE)range: = 2.7.11
- (no CPE)range: <=2.7.11
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient input validation in the `download_local_backup_file()` function — using `ltrim()` instead of proper path-sanitization — allows directory traversal, and the plugin lacks authentication checks for both file download and file deletion operations."
Attack vector
An unauthenticated attacker sends crafted HTTP GET requests to `/wp-admin/tools.php?page=backup_manager` with either the `delete_backup_file` or `download_backup_file` parameter. The plugin fails to validate that the supplied filename is a legitimate backup file and does not properly sanitize directory traversal sequences. For file deletion, the attacker can supply `../pizza.txt` to delete arbitrary files, or `.htaccess` to remove the backup directory's protection file. For file download, the attacker can supply an empty value to read `tools.php` itself, or use a path like `oldBackups/../../wp-config.php` to traverse out of the backup directory and download sensitive files such as `wp-config.php` or `/etc/passwd` [ref_id=1].
Affected code
The vulnerable code resides in `simple-backup-manager.php` within the function `download_local_backup_file($filename)`. The function uses `ltrim($filename, ".\/")` to sanitize user input, which is insufficient to prevent directory traversal. The parameters `delete_backup_file` and `download_backup_file` in `tools.php` (page `backup_manager`) are the entry points for the attacks [ref_id=1].
What the fix does
No patch has been published by the vendor; the exploit was disclosed on 2016-06-02 after the vendor failed to respond [ref_id=1]. The advisory recommends that file download should require authentication and authorization (users with backup-management permissions), the filename should be validated against a whitelist of actual backup files, and the input should be sanitized using PHP's `basename()` function instead of `ltrim()` to prevent directory traversal. For file deletion, the same access-control and input-validation improvements are necessary [ref_id=1].
Preconditions
- configThe WordPress site must have the simple-backup plugin version 2.7.11 installed and enabled.
- authNo authentication is required; the default plugin configuration is affected.
- networkThe attacker must be able to send HTTP requests to the WordPress admin area (wp-admin/tools.php).
- inputThe attacker supplies crafted directory-traversal payloads via the delete_backup_file or download_backup_file query parameters.
Reproduction
**Arbitrary File Deletion** 1. Send a GET request to `http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&delete_backup_file=../pizza.txt` to delete `pizza.txt` in the WordPress root. 2. Send a GET request to `http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&delete_backup_file=.htaccess&download_backup_file=inexisting` to delete the `.htaccess` file protecting the backup directory, then browse `http://127.0.0.1/<WP-path>/simple-backup/` to access backup archives.
**Arbitrary File Download** 1. Send a GET request to `http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=` (empty value) to download `tools.php`. 2. Send a GET request to `http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=oldBackups/../../wp-config.php` to download `wp-config.php`. 3. Send a GET request to `http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=oldBackups/../../../../../../etc/passwd` to download `/etc/passwd` [ref_id=1].
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.