CVE-2023-6266
published 2024-01-11CVE-2023-6266: The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of…
PriorityP178high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.07%
79.1th percentile
The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of the handle_downloading function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to download back-up files which can contain sensitive information such as user passwords, PII, database credentials, and much more.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| backupbliss | backup_migration | <= 1.3.6 | — |
| inisev | backupbliss_backup_migration_with_free_cloud_storage | <= 1.3.6 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for unauthenticated GET requests containing the query parameter 'backup-migration=BMI_BACKUP' — this triggers the vulnerable handle_downloading function's BMI_BACKUP case. ↗
- →Path traversal attempts will appear in the 'backup-id' parameter (e.g., '../complete_logs.log'). Monitor for directory traversal sequences in this parameter. ↗
- →A successful first-stage probe returns HTTP 200 with body containing the string 'BM_Backup', followed by a second request to download the identified .zip backup file with Content-Type application/zip.
- →Successful backup file download is confirmed by HTTP 200 response with Content-Type containing 'application/zip'. Alert on this combination for unauthenticated sessions.
- →Shodan/FOFA fingerprint for exposed instances: search for 'backup-migration' in HTTP HTML body.
- ·The vulnerability affects all versions up to and including 1.3.6 of the Backup Migration plugin. Version 1.3.7 and later are patched. ↗
- ·Exploitation is two-stage: the first request leaks backup filenames from the log file via path traversal; the second request downloads the actual backup ZIP. Detection logic should correlate both requests.
- ·The exploit requires no authentication (PR:N, UI:N), meaning any unauthenticated HTTP client can trigger the download of backup files containing passwords, PII, and database credentials. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Backup Migration Plugin up to 1.3.6 on WordPress information disclosure
vuldb·2026-04-11·CVSS 7.5
CVE-2023-6266 [HIGH] Backup Migration Plugin up to 1.3.6 on WordPress information disclosure
A vulnerability identified as problematic has been detected in Backup Migration Plugin up to 1.3.6 on WordPress. Affected by this issue is some unknown functionality. This manipulation causes information disclosure.
This vulnerability is tracked as CVE-2023-6266. The attack is possible to be carried out remotely. No exploit exists.
You should upgrade the affected component.
GHSA
GHSA-wqc2-2gpx-6j9r: The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP
ghsa_unreviewed·2024-01-11
CVE-2023-6266 [HIGH] CWE-200 GHSA-wqc2-2gpx-6j9r: The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP
The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of the handle_downloading function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to download back-up files which can contain sensitive information such as user passwords, PII, database credentials, and much more.
VulnCheck
backupbliss backup_migration Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2023·CVSS 7.5
CVE-2023-6266 [HIGH] backupbliss backup_migration Exposure of Sensitive Information to an Unauthorized Actor
backupbliss backup_migration Exposure of Sensitive Information to an Unauthorized Actor
The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of the handle_downloading function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to download back-up files which can contain sensitive information such as user passwords, PII, database credentials, and much more.
Affected: backupbliss backup_migration
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plu
No detection rules found.
Nuclei
WordPress Backup Migration <= 1.3.6 - Path Traversal
nuclei·CVSS 7.5
CVE-2023-6266 [HIGH] WordPress Backup Migration <= 1.3.6 - Path Traversal
WordPress Backup Migration <= 1.3.6 - Path Traversal
WordPress Backup Migration plugin versions up to 1.3.6 contain a path traversal and file validation issue in handle_downloading function, letting unauthenticated attackers download backup files containing sensitive information.
Template:
id: CVE-2023-6266
info:
name: WordPress Backup Migration <= 1.3.6 - Path Traversal
author: riteshs4hu
severity: high
description: |
WordPress Backup Migration plugin versions up to 1.3.6 contain a path traversal and file validation issue in handle_downloading function, letting unauthenticated attackers download backup files containing sensitive information.
impact: |
Attackers can download backup files with sensitive data, leading to data breaches and privacy violations.
remediation: |
Update to the
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.5/includes/initializer.php#L1048https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.5/includes/initializer.php#L972https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/initializer.php#L1065https://www.wordfence.com/threat-intel/vulnerabilities/id/08801f53-3c57-41a3-a637-4b52637cc612?source=cvehttps://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.5/includes/initializer.php#L1048https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.5/includes/initializer.php#L972https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/initializer.php#L1065https://www.wordfence.com/threat-intel/vulnerabilities/id/08801f53-3c57-41a3-a637-4b52637cc612?source=cve
2024-01-11
Published
Exploited in the wild