cbcvebase.
CVE-2023-6266
published 2024-01-11

CVE-2023-6266: The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of…

PriorityP178high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.07%
79.1th percentile
The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of the handle_downloading function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to download back-up files which can contain sensitive information such as user passwords, PII, database credentials, and much more.

Affected

2 ranges
VendorProductVersion rangeFixed in
backupblissbackup_migration<= 1.3.6
inisevbackupbliss_backup_migration_with_free_cloud_storage<= 1.3.6

Detection & IOCsextracted from sources · hover to see the quote

url/?backup-migration=BMI_BACKUP&backup-id=../complete_logs.log
url/?backup-migration=BMI_BACKUP&backup-id={{backupfile}}
filenameBM_Backup_[0-9_-]+_[A-Za-z0-9]+\.zip
  • Look for unauthenticated GET requests containing the query parameter 'backup-migration=BMI_BACKUP' — this triggers the vulnerable handle_downloading function's BMI_BACKUP case.
  • Path traversal attempts will appear in the 'backup-id' parameter (e.g., '../complete_logs.log'). Monitor for directory traversal sequences in this parameter.
  • A successful first-stage probe returns HTTP 200 with body containing the string 'BM_Backup', followed by a second request to download the identified .zip backup file with Content-Type application/zip.
  • Successful backup file download is confirmed by HTTP 200 response with Content-Type containing 'application/zip'. Alert on this combination for unauthenticated sessions.
  • Shodan/FOFA fingerprint for exposed instances: search for 'backup-migration' in HTTP HTML body.
  • ·The vulnerability affects all versions up to and including 1.3.6 of the Backup Migration plugin. Version 1.3.7 and later are patched.
  • ·Exploitation is two-stage: the first request leaks backup filenames from the log file via path traversal; the second request downloads the actual backup ZIP. Detection logic should correlate both requests.
  • ·The exploit requires no authentication (PR:N, UI:N), meaning any unauthenticated HTTP client can trigger the download of backup files containing passwords, PII, and database credentials.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.