Description
Insertion of Sensitive Information into Log File vulnerability in WebToffee WordPress Backup & Migration wp-migration-duplicator allows Retrieve Embedded Sensitive Data.This issue affects WordPress Backup & Migration: from n/a through <= 1.5.3.
Published: 2025-04-17
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an insertion of sensitive information into log files performed by the WebToffee WordPress Backup & Migration plugin. An attacker can trigger the plugin to write private data such as authentication tokens or database credentials into its log, leading to a confidentiality breach. The flaw maps to CWE‑532: Logging of Sensitive Information.

Affected Systems

Affected systems are WordPress sites that have the WebToffee Backup & Migration plugin installed in any version up to and including 1.5.3. The vendor is WebToffee and the product is the WordPress Backup & Migration plugin. Users of older or unpatched releases are at risk.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate impact, while the EPSS score of less than 1 % suggests a low likelihood of exploitation in the wild. The plugin logs data only when a migration or backup operation is performed, so an attacker would need to trigger such an operation—likely requiring administrative privileges or the ability to execute plugin code. If the log files are stored in a location accessible via HTTP, an attacker could read them directly; otherwise, the threat is limited to insider or compromised accounts. The vulnerability is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 1, 2026 at 09:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WebToffee WordPress Backup & Migration plugin to any version newer than 1.5.3 to remove the logging flaw.
  • If an immediate upgrade is not feasible, configure the plugin or web server to disable logging of sensitive data, or remove the log file from the web‑accessible directory.
  • Restrict access to the plugin’s log directory by setting appropriate file permissions or adding an .htaccess rule to deny public read access; monitor the log for unexpected sensitive entries.

Generated by OpenCVE AI on May 1, 2026 at 09:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11610 Insertion of Sensitive Information into Log File vulnerability in WebToffee WordPress Backup & Migration allows Retrieve Embedded Sensitive Data. This issue affects WordPress Backup & Migration: from n/a through 1.5.3.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information into Log File vulnerability in WebToffee WordPress Backup & Migration allows Retrieve Embedded Sensitive Data. This issue affects WordPress Backup & Migration: from n/a through 1.5.3. Insertion of Sensitive Information into Log File vulnerability in WebToffee WordPress Backup & Migration wp-migration-duplicator allows Retrieve Embedded Sensitive Data.This issue affects WordPress Backup & Migration: from n/a through <= 1.5.3.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information into Log File vulnerability in WebToffee WordPress Backup & Migration allows Retrieve Embedded Sensitive Data. This issue affects WordPress Backup & Migration: from n/a through 1.5.3.
Title WordPress WebToffee WP Backup and Migration plugin <= 1.5.3 - Sensitive Data Exposure vulnerability
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:54.284Z

Reserved: 2025-01-23T14:51:41.777Z

Link: CVE-2025-24651

cve-icon Vulnrichment

Updated: 2025-04-17T17:43:36.631Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:33.600

Modified: 2026-04-29T10:16:41.970

Link: CVE-2025-24651

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:30:14Z

Weaknesses
  • CWE-532

    Insertion of Sensitive Information into Log File