Cyber Resilience

CVE-2023-6750

HighPublic PoC

Published: 08 January 2024

Published
08 January 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.4179 97.5th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-6750 is a high-severity an unspecified weakness vulnerability in Backupbliss Clone. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Clone WordPress plugin before version 2.4.3 contains an information disclosure vulnerability stemming from its use of buffer files to store in-progress backup data. These files are written to a statically defined path that remains publicly accessible over the network, allowing unauthenticated retrieval of their contents. The issue carries a CVSS 3.1 base score of 7.5, reflecting network attack vector, low complexity, and high confidentiality impact with no authentication or user interaction required.

An attacker can directly request the known file path to obtain sensitive backup information, including site data that may contain credentials, user details, or other confidential material. Because the exposure requires no privileges, any remote party with network access to the WordPress instance can exploit it and exfiltrate the stored backup contents.

The WPScan advisory for this issue recommends updating the Clone plugin to version 2.4.3 or later to eliminate the static public buffer path. The associated EPSS score reached a peak of 0.4835, indicating a material rise in exploitation interest after disclosure that warrants renewed attention.

EU & UK References

Vulnerability details

The Clone WordPress plugin before 2.4.3 uses buffer files to store in-progress backup informations, which is stored at a publicly accessible, statically defined file path.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

backupbliss
clone
≤ 2.4.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References