Cyber Resilience

CVE-2023-7165

HighPublic PoC

Published: 27 February 2024

Published
27 February 2024
Modified
01 May 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.3158 96.9th percentile
Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-7165 is a high-severity an unspecified weakness vulnerability in Jetbackup Jetbackup. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The JetBackup WordPress plugin before version 2.0.9.9 is affected by a directory listing issue that occurs when index files are absent in certain configurations. This allows public exposure of sensitive directories containing backup files. The flaw carries a CVSS 3.1 score of 7.5, reflecting network-accessible exploitation with no required credentials or user interaction and a high impact on confidentiality.

An unauthenticated attacker can enumerate and directly retrieve backup archives hosted by the plugin, potentially exposing database contents, site files, or credentials stored in those archives. Because the vector requires only standard HTTP requests, the exposure can occur through routine web scanning or targeted reconnaissance against WordPress installations using the plugin.

Advisories published by WPScan detail the affected versions and recommend upgrading to 2.0.9.9 or later to address the missing index protections. The current EPSS score of 0.3158, with a peak of 0.3199, indicates moderate and relatively stable exploitation interest since disclosure.

EU & UK References

Vulnerability details

The JetBackup WordPress plugin before 2.0.9.9 doesn't use index files to prevent public directory listing of sensitive directories in certain configurations, which allows malicious actors to leak backup files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
T1654 Log Enumeration Discovery
Adversaries may enumerate system and service logs to find useful data.
Why these techniques?

Directory listing exposes backup files (likely including database dumps) and logs, facilitating file and directory discovery (T1083), collection of data from databases via backups (T1213.006), and enumeration of logs (T1654).

Affected Assets

jetbackup
jetbackup
≤ 2.0.9.9

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References