9.8
CVE-2023-6971
- EPSS 9.06%
- Veröffentlicht 23.12.2023 02:15:45
- Zuletzt bearbeitet 21.11.2024 08:44:57
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginBackup Migration 1.0.8 - 1.3.9 - Remote File Inclusion via content-dir
The Backup Migration plugin for WordPress is vulnerable to Remote File Inclusion in versions 1.0.8 to 1.3.9 via the 'content-dir' HTTP header. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. NOTE: Successful exploitation of this vulnerability requires that the target server's php.ini is configured with 'allow_url_include' set to 'on'. This feature is deprecated as of PHP 7.4 and is disabled by default, but can still be explicitly enabled in later versions of PHP.
Mögliche Gegenmaßnahme
BackupBliss – Backup & Migration with Free Cloud Storage: Update to version 1.4.0, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
BackupBliss – Backup & Migration with Free Cloud Storage
Version
1.0.8-1.3.9
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Backupbliss ≫ Backup Migration SwPlatformwordpress Version >= 1.0.8 < 1.4.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 9.06% | 0.923 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security@wordfence.com | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.