CVE-2023-6505
Published: 08 January 2024
Summary
CVE-2023-6505 is a high-severity an unspecified weakness vulnerability in Codexonics Prime Mover. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is present in the Migrate WordPress Website & Backups WordPress plugin before version 1.9.3. It stems from a failure to prevent directory listing in sensitive directories that hold export files, allowing unauthenticated network access to their contents and producing a CVSS 7.5 rating focused solely on confidentiality.
An attacker with no credentials or user interaction required can enumerate and retrieve the exposed export files over the network, potentially disclosing sensitive site data such as database contents or configuration details.
Advisories published by WPScan at the referenced URLs identify the affected plugin versions and indicate that the exposure is resolved by updating to 1.9.3 or later. The associated EPSS score has reached 0.7378 without an observable rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-58736
Vulnerability details
The Migrate WordPress Website & Backups WordPress plugin before 1.9.3 does not prevent directory listing in sensitive directories containing export files.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated directory listing and access to sensitive export files due to missing protections, facilitating data collection from the local system (T1005), exploitation of file system permissions weaknesses (T1044), and file and directory discovery (T1083).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.