Skip to content
Threat Feed
high advisory

WordPress Backup Migration Plugin Unauthenticated Database Backup Download

WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability allowing unauthenticated attackers to download complete database backups by accessing predictable file paths.

WordPress Plugin Backup Migration 1.2.8 is vulnerable to information disclosure. Unauthenticated attackers can exploit this flaw to download complete database backups by accessing predictable file paths. The vulnerability, identified as CVE-2023-54346, allows attackers to enumerate backup directories through configuration files and logs. This enumeration enables the construction of direct download URLs, which, when accessed, retrieve sensitive backup archives containing full database dumps. This poses a significant risk to WordPress sites using the affected plugin version, as it allows unauthorized access to sensitive data.

Attack Chain

  1. Attacker identifies a WordPress site using the Backup Migration plugin version 1.2.8.
  2. Attacker accesses publicly available configuration files (e.g., wp-config.php) to gather information about the site’s structure.
  3. The attacker attempts to access log files created by the Backup Migration plugin to identify backup directory names.
  4. Attacker identifies predictable file paths for backup files based on the enumerated backup directory names.
  5. The attacker constructs direct download URLs for backup archive files (e.g., .zip or .sql) based on the identified paths.
  6. The attacker sends an HTTP GET request to the constructed URL.
  7. The server responds with the backup archive file containing the complete WordPress database.
  8. Attacker downloads and extracts the database backup, gaining access to sensitive information, including user credentials, site configuration, and potentially other data.

Impact

Successful exploitation of this vulnerability allows attackers to download complete WordPress database backups, potentially exposing sensitive information such as user credentials, configuration details, and proprietary data. The impact is significant, as it could lead to account compromise, data theft, and further malicious activities. This vulnerability affects all WordPress sites using the Backup Migration plugin version 1.2.8 that have not applied a patch.

Recommendation

  • Deploy the Sigma rule Detect WordPress Backup Directory Enumeration to identify potential attempts to discover backup directories by monitoring web server logs for suspicious file requests.
  • Deploy the Sigma rule Detect WordPress Backup File Download to detect direct downloads of backup files by monitoring web server logs for requests to common backup file extensions within the WordPress content directory.
  • Upgrade the Backup Migration plugin to a version that addresses CVE-2023-54346.

Detection coverage 2

Detect WordPress Backup Directory Enumeration

medium

Detects attempts to enumerate WordPress backup directories by monitoring web server logs for suspicious file requests.

sigma tactics: discovery techniques: T1595.002 sources: webserver, linux

Detect WordPress Backup File Download

high

Detects direct downloads of WordPress backup files by monitoring web server logs for requests to common backup file extensions within the WordPress content directory.

sigma tactics: credential_access sources: webserver, linux

Detection queries are kept inside the platform. Get full rules →