7.5

CVE-2023-6266

EPSS 21.79%
Veröffentlicht 11.01.2024 09:15:48
Zuletzt bearbeitet 08.04.2026 17:17:13
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Backup Migration <= 1.3.6 - Unauthenticated Arbitrary Backup Download to Sensitive Information Exposure

The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of the handle_downloading function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to download back-up files which can contain sensitive information such as user passwords, PII,  database credentials, and much more.

Mögliche Gegenmaßnahme

BackupBliss – Backup & Migration with Free Cloud Storage: Update to version 1.3.7, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 8

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt BackupBliss – Backup & Migration with Free Cloud Storage

Version *-1.3.6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Backupbliss ≫ Backup Migration SwPlatformwordpress Version <= 1.3.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	21.79%	0.956

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security@wordfence.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-552 Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.5/includes/initializer.php#L1048

Issue Tracking

https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.5/includes/initializer.php#L972

Issue Tracking

https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.7/includes/initializer.php#L1065

Issue Tracking

https://www.wordfence.com/threat-intel/vulnerabilities/id/08801f53-3c57-41a3-a637-4b52637cc612?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/08801f53-3c57-41a3-a637-4b52637cc612

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-6266

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-6266

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-6266

EUVD