CVE-2023-7165
Published: 27 February 2024
Summary
CVE-2023-7165 is a high-severity an unspecified weakness vulnerability in Jetbackup Jetbackup. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The JetBackup WordPress plugin before version 2.0.9.9 is affected by a directory listing issue that occurs when index files are absent in certain configurations. This allows public exposure of sensitive directories containing backup files. The flaw carries a CVSS 3.1 score of 7.5, reflecting network-accessible exploitation with no required credentials or user interaction and a high impact on confidentiality.
An unauthenticated attacker can enumerate and directly retrieve backup archives hosted by the plugin, potentially exposing database contents, site files, or credentials stored in those archives. Because the vector requires only standard HTTP requests, the exposure can occur through routine web scanning or targeted reconnaissance against WordPress installations using the plugin.
Advisories published by WPScan detail the affected versions and recommend upgrading to 2.0.9.9 or later to address the missing index protections. The current EPSS score of 0.3158, with a peak of 0.3199, indicates moderate and relatively stable exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-59346
Vulnerability details
The JetBackup WordPress plugin before 2.0.9.9 doesn't use index files to prevent public directory listing of sensitive directories in certain configurations, which allows malicious actors to leak backup files.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory listing exposes backup files (likely including database dumps) and logs, facilitating file and directory discovery (T1083), collection of data from databases via backups (T1213.006), and enumeration of logs (T1654).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.