CVE-2023-6266
Published: 11 January 2024
Summary
CVE-2023-6266 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Backupbliss Backup Migration. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Backup Migration plugin for WordPress contains an information disclosure vulnerability caused by insufficient path and file validation in the BMI_BACKUP case of the handle_downloading function. The flaw affects all versions through 1.3.6 and is tracked under CWE-200 and CWE-552. An unauthenticated network attacker can directly request arbitrary backup archives without any credentials or user interaction, resulting in a CVSS 3.1 score of 7.5.
Because the plugin exposes a download handler that accepts attacker-controlled parameters, any remote adversary can retrieve full backup files. These archives commonly contain WordPress database credentials, user password hashes, personally identifiable information, and other sensitive site data, allowing subsequent account takeover or further compromise of the affected installation and any connected services.
The referenced Wordfence advisory and WordPress plugin repository revisions indicate that the issue was addressed by improved input validation in version 1.3.7. Site administrators are advised to update immediately and to restrict or remove the plugin if backups are not required. The associated EPSS score has reached a peak of 0.3202 with a current value of 0.2946, indicating moderate and sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-58511
Vulnerability details
The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of the handle_downloading function in all versions up to, and including, 1.3.6. This makes it possible…
more
for unauthenticated attackers to download back-up files which can contain sensitive information such as user passwords, PII, database credentials, and much more.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Review and removal of nonpublic information from publicly accessible systems directly prevents exposure of sensitive data to unauthorized actors.
Documenting information locations and authorized users enables better protection against unauthorized exposure of sensitive data.
Protecting confidentiality of backup information prevents unauthorized exposure of sensitive data stored in backups.
Sanitizing equipment to remove specified information before off-site maintenance prevents exposure of sensitive information to unauthorized actors such as external maintenance personnel.
The media protection policy defines requirements and procedures to prevent unauthorized disclosure or access to sensitive information on media.
Assessing control effectiveness and providing incident communication channels at alternate sites reduces the likelihood of sensitive information exposure to unauthorized actors.
Requiring protection of the program plan from unauthorized disclosure directly reduces exposure of sensitive security program details and control descriptions.
Policies mandate protection of CUI on external systems, directly reducing unauthorized exposure of sensitive information.