Impact
The Backup Migration plugin for WordPress versions up to 2.1.1 contains an unauthenticated sensitive data exposure flaw. The vulnerability allows anyone to read backup files or other sensitive data that the plugin stores or transmits without requiring authentication. The weakness is identified as CWE-201, which describes a failure to protect sensitive data that could be exposed to an attacker.
Affected Systems
Affecting the Inisev Backup Migration plugin, all users running version 2.1.1 or earlier are vulnerable. The issue is specific to that plugin and does not extend to other WordPress components. Identifying a vulnerable installation requires checking the installed plugin version; any instance of 2.1.1 or older exposes sensitive data.
Risk and Exploitability
With a CVSS score of 7.5 the flaw is considered high severity. The EPSS score of less than 1% indicates a very low probability that the vulnerability will see active exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is unauthenticated, meaning an attacker only needs to reach the plugin’s exposed endpoints or files, making the risk of data leakage significant if the plugin is accessible publicly or via an open network.
OpenCVE Enrichment