CVE-2023-54346 | THREATINT

Description

WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers can enumerate backup directories through configuration files and complete logs, then construct direct download URLs to retrieve sensitive backup archives containing full database dumps.

PUBLISHED Reserved 2026-01-10 | Published 2026-05-05 | Updated 2026-05-06 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Insertion of Sensitive Information into Externally-Accessible File or Directory

Product status

1.2.8

affected

Credits

Wadeek finder

References

www.exploit-db.com/exploits/51445 (ExploitDB-51445) exploit

backupbliss.com/ (Official Product Homepage) product

downloads.wordpress.org/plugin/backup-backup.1.2.8.zip (Product Reference) product

www.vulncheck.com/...nauthenticated-database-backup-download (VulnCheck Advisory: WordPress Plugin Backup Migration 1.2.8 Unauthenticated Database Backup Download) third-party-advisory

cve.org (CVE-2023-54346)

nvd.nist.gov (CVE-2023-54346)

Download JSON