CVE-2023-7002
Published: 23 December 2023
Summary
CVE-2023-7002 is a high-severity OS Command Injection (CWE-78) vulnerability in Backupbliss Backup Migration. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 1.3.9 via the 'url' parameter. The flaw, tracked as CWE-78, resides in the plugin's AJAX handling code and carries a CVSS 3.1 score of 7.2.
Authenticated attackers who possess administrator-level permissions or higher can supply a crafted URL value to trigger execution of arbitrary operating-system commands on the underlying host. The attack requires no user interaction and can be performed over the network.
The provided references point to the vulnerable code paths in ajax.php and to a subsequent changeset that updated the plugin, indicating that remediation occurred through a code change released after version 1.3.9. The EPSS score has remained flat at its peak value of 0.2315 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-59194
Vulnerability details
The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all versions up to, and including, 1.3.9 via the 'url' parameter. This vulnerability allows authenticated attackers, with administrator-level permissions and above, to execute arbitrary commands on the…
more
host operating system.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.