Cyber Resilience

CVE-2023-6266

High

Published: 11 January 2024

Published
11 January 2024
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.2946 96.7th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-6266 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Backupbliss Backup Migration. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Backup Migration plugin for WordPress contains an information disclosure vulnerability caused by insufficient path and file validation in the BMI_BACKUP case of the handle_downloading function. The flaw affects all versions through 1.3.6 and is tracked under CWE-200 and CWE-552. An unauthenticated network attacker can directly request arbitrary backup archives without any credentials or user interaction, resulting in a CVSS 3.1 score of 7.5.

Because the plugin exposes a download handler that accepts attacker-controlled parameters, any remote adversary can retrieve full backup files. These archives commonly contain WordPress database credentials, user password hashes, personally identifiable information, and other sensitive site data, allowing subsequent account takeover or further compromise of the affected installation and any connected services.

The referenced Wordfence advisory and WordPress plugin repository revisions indicate that the issue was addressed by improved input validation in version 1.3.7. Site administrators are advised to update immediately and to restrict or remove the plugin if backups are not required. The associated EPSS score has reached a peak of 0.3202 with a current value of 0.2946, indicating moderate and sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of the handle_downloading function in all versions up to, and including, 1.3.6. This makes it possible…

more

for unauthenticated attackers to download back-up files which can contain sensitive information such as user passwords, PII, database credentials, and much more.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

backupbliss
backup migration
≤ 1.3.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-200 CWE-552

Review and removal of nonpublic information from publicly accessible systems directly prevents exposure of sensitive data to unauthorized actors.

addresses: CWE-200 CWE-552

Documenting information locations and authorized users enables better protection against unauthorized exposure of sensitive data.

addresses: CWE-200 CWE-552

Protecting confidentiality of backup information prevents unauthorized exposure of sensitive data stored in backups.

addresses: CWE-200 CWE-552

Sanitizing equipment to remove specified information before off-site maintenance prevents exposure of sensitive information to unauthorized actors such as external maintenance personnel.

addresses: CWE-200 CWE-552

The media protection policy defines requirements and procedures to prevent unauthorized disclosure or access to sensitive information on media.

addresses: CWE-200 CWE-552

Assessing control effectiveness and providing incident communication channels at alternate sites reduces the likelihood of sensitive information exposure to unauthorized actors.

addresses: CWE-200 CWE-552

Requiring protection of the program plan from unauthorized disclosure directly reduces exposure of sensitive security program details and control descriptions.

addresses: CWE-200 CWE-552

Policies mandate protection of CUI on external systems, directly reducing unauthorized exposure of sensitive information.

References