CVE-2023-54346
Published: 05 May 2026
Summary
CVE-2023-54346 is a high-severity Insertion of Sensitive Information into Externally-Accessible File or Directory (CWE-538) vulnerability in Backupbliss (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CP-9 (System Backup).
Deeper analysis
CVE-2023-54346 is an information disclosure vulnerability (CWE-538) affecting the WordPress plugin Backup Migration version 1.2.8, assigned a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The vulnerability enables unauthenticated attackers to download complete database backups through predictable file paths. Attackers can enumerate backup directories by accessing exposed configuration files and complete logs, allowing them to construct direct download URLs for sensitive backup archives that contain full database dumps.
Unauthenticated remote attackers can exploit this issue with low complexity, requiring no privileges or user interaction. Successful exploitation grants high confidentiality impact by exposing sensitive data such as full database contents, while integrity and availability remain unaffected.
Advisories from VulnCheck and a proof-of-concept exploit on Exploit-DB document the unauthenticated database backup download capability. Additional references include the plugin's vendor site at backupbliss.com and the affected version download at downloads.wordpress.org/plugin/backup-backup.1.2.8.zip.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-60568
Vulnerability details
WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers can enumerate backup directories through configuration files and complete logs, then construct direct download URLs…
more
to retrieve sensitive backup archives containing full database dumps.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin enables unauthenticated remote file access and direct exfiltration of database backup contents via predictable paths.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires protection of backup information to prevent storage of database backups in publicly accessible locations with predictable paths.
Enforces approved authorizations for public access, blocking unauthenticated downloads of sensitive backup archives from external interfaces.
Enforces logical access controls on configuration files, logs, and backup directories to prevent enumeration and direct unauthorized access.