Skip to content
CVSS 7.5 · HIGH

CVE-2023-54346

WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers can enumerate backup directories through configuration files and complete logs, then construct direct download URLs to retrieve sensitive backup archives containing full database dumps.

View on NVD

Analysis

This WordPress plugin has over 90,000 active installations and is part of the widely used WordPress ecosystem. The vulnerability allows unauthenticated attackers to find and download complete database dumps due to predictable file paths, posing a high risk of data exfiltration for site administrators.

Severity

Score: 7.5(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: NONE
A: NONE
Weakness (CWE): CWE-538

EPSS

Probability of exploitation (next 30 days): 0.0004 (0.0%)
Percentile: 12.0%
EPSS: 2026-05-06

Technical description

WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers can enumerate backup directories through configuration files and complete logs, then construct direct download URLs to retrieve sensitive backup archives containing full database dumps.

Published: 5/5/2026, 12:16:17 PM
Last modified: 5/5/2026, 7:47:57 PM

References

HomeEventsBlogResourcesTeam