Attack Chain

1. Attacker identifies a WordPress site using the Backup Migration plugin version 1.2.8.
2. Attacker accesses publicly available configuration files (e.g., wp-config.php) to gather information about the site’s structure.
3. The attacker attempts to access log files created by the Backup Migration plugin to identify backup directory names.
4. Attacker identifies predictable file paths for backup files based on the enumerated backup directory names.
5. The attacker constructs direct download URLs for backup archive files (e.g., .zip or .sql) based on the identified paths.
6. The attacker sends an HTTP GET request to the constructed URL.
7. The server responds with the backup archive file containing the complete WordPress database.
8. Attacker downloads and extracts the database backup, gaining access to sensitive information, including user credentials, site configuration, and potentially other data.

Impact

Successful exploitation of this vulnerability allows attackers to download complete WordPress database backups, potentially exposing sensitive information such as user credentials, configuration details, and proprietary data. The impact is significant, as it could lead to account compromise, data theft, and further malicious activities. This vulnerability affects all WordPress sites using the Backup Migration plugin version 1.2.8 that have not applied a patch.

Recommendation

• Deploy the Sigma rule Detect WordPress Backup Directory Enumeration to identify potential attempts to discover backup directories by monitoring web server logs for suspicious file requests.
• Deploy the Sigma rule Detect WordPress Backup File Download to detect direct downloads of backup files by monitoring web server logs for requests to common backup file extensions within the WordPress content directory.
• Upgrade the Backup Migration plugin to a version that addresses CVE-2023-54346.