Cyber Resilience

CVE-2023-7002

HighPublic PoCRCE

Published: 23 December 2023

Published
23 December 2023
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2315 96.1th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-7002 is a high-severity OS Command Injection (CWE-78) vulnerability in Backupbliss Backup Migration. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 1.3.9 via the 'url' parameter. The flaw, tracked as CWE-78, resides in the plugin's AJAX handling code and carries a CVSS 3.1 score of 7.2.

Authenticated attackers who possess administrator-level permissions or higher can supply a crafted URL value to trigger execution of arbitrary operating-system commands on the underlying host. The attack requires no user interaction and can be performed over the network.

The provided references point to the vulnerable code paths in ajax.php and to a subsequent changeset that updated the plugin, indicating that remediation occurred through a code change released after version 1.3.9. The EPSS score has remained flat at its peak value of 0.2315 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all versions up to, and including, 1.3.9 via the 'url' parameter. This vulnerability allows authenticated attackers, with administrator-level permissions and above, to execute arbitrary commands on the…

more

host operating system.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

backupbliss
backup migration
≤ 1.4.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References