CVE-2023-54346 PUBLISHED

WordPress Plugin Backup Migration 1.2.8 Unauthenticated Database Backup Download

Assigner: VulnCheck
Reserved: 10.01.2026 Published: 05.05.2026 Updated: 05.05.2026

WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers can enumerate backup directories through configuration files and complete logs, then construct direct download URLs to retrieve sensitive backup archives containing full database dumps.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor Backupbliss
Product WordPress Plugin Backup Migration
Versions
  • Version 1.2.8 is affected

Credits

  • Wadeek finder

References

Problem Types

  • Insertion of Sensitive Information into Externally-Accessible File or Directory CWE