Cyber Resilience

CVE-2023-6505

High

Published: 08 January 2024

Published
08 January 2024
Modified
18 June 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.7378 98.8th percentile
Risk Priority 59 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-6505 is a high-severity an unspecified weakness vulnerability in Codexonics Prime Mover. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is present in the Migrate WordPress Website & Backups WordPress plugin before version 1.9.3. It stems from a failure to prevent directory listing in sensitive directories that hold export files, allowing unauthenticated network access to their contents and producing a CVSS 7.5 rating focused solely on confidentiality.

An attacker with no credentials or user interaction required can enumerate and retrieve the exposed export files over the network, potentially disclosing sensitive site data such as database contents or configuration details.

Advisories published by WPScan at the referenced URLs identify the affected plugin versions and indicate that the exposure is resolved by updating to 1.9.3 or later. The associated EPSS score has reached 0.7378 without an observable rise from a lower baseline.

EU & UK References

Vulnerability details

The Migrate WordPress Website & Backups WordPress plugin before 1.9.3 does not prevent directory listing in sensitive directories containing export files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1574.010 Services File Permissions Weakness Stealth
Adversaries may execute their own malicious payloads by hijacking the binaries used by services.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

The vulnerability enables unauthenticated directory listing and access to sensitive export files due to missing protections, facilitating data collection from the local system (T1005), exploitation of file system permissions weaknesses (T1044), and file and directory discovery (T1083).

Affected Assets

codexonics
prime mover
≤ 1.9.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References