Description
WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers can enumerate backup directories through configuration files and complete logs, then construct direct download URLs to retrieve sensitive backup archives containing full database dumps.
Published: 2026-05-05
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Plugin Backup Migration version 1.2.8 contains an information disclosure flaw that permits unauthenticated actors to retrieve entire database backups by requesting predictable file paths. The flaw allows attackers to construct direct download URLs after discovering backup directories through configuration files and logs, resulting in the extraction of sensitive data such as user credentials, configuration settings, and potentially customer information. This issue is identified as CWE‑538, reflecting the exposure of confidential logs or data.

Affected Systems

The vulnerability affects the Backupbliss WordPress Plugin Backup Migration product specifically at version 1.2.8. No other versions or products are listed in the current data.

Risk and Exploitability

The CVSS score of 8.7 classifies this as a high severity flaw, and the lack of an EPSS score suggests that exploitation likelihood cannot be precisely quantified, but the unauthenticated nature and predictable URLs indicate an easy attack path. The flaw is not listed in the CISA KEV catalog and no official workaround is publicly documented. If exploited, the attacker could achieve full database compromise, leading to a complete confidentiality breach of sensitive business and user data.

Generated by OpenCVE AI on May 5, 2026 at 12:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Backup Migration to the latest patched version as released by Backupbliss.
  • Configure web server or .htaccess rules to restrict access to the backup directory and prevent direct URL downloads.
  • If the backup feature is not essential, disable or remove the Backup Migration plugin entirely.

Generated by OpenCVE AI on May 5, 2026 at 12:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers can enumerate backup directories through configuration files and complete logs, then construct direct download URLs to retrieve sensitive backup archives containing full database dumps.
Title WordPress Plugin Backup Migration 1.2.8 Unauthenticated Database Backup Download
Weaknesses CWE-538
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-05T11:24:50.282Z

Reserved: 2026-01-10T01:51:52.985Z

Link: CVE-2023-54346

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T12:16:17.020

Modified: 2026-05-05T12:16:17.020

Link: CVE-2023-54346

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T12:30:24Z

Weaknesses