CVE-2023-54346 Overview
CVE-2023-54346 is an information disclosure vulnerability in the WordPress Backup Migration plugin version 1.2.8. The flaw allows unauthenticated attackers to download complete database backups by accessing predictable file paths exposed by the plugin. Attackers enumerate backup directories through configuration files and complete logs, then construct direct download URLs to retrieve archives containing full database dumps. The vulnerability is classified under [CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory]. Because exploitation requires no authentication and only network access to the WordPress site, any internet-facing installation running the affected plugin version is exposed.
Critical Impact
Unauthenticated remote attackers can download full WordPress database backups, exposing user credentials, session data, post content, and configuration secrets.
Affected Products
- WordPress Plugin Backup Migration (Backup Bliss) version 1.2.8
- WordPress sites with the affected plugin installed and accessible over the network
- Backup archives stored in plugin-default web-accessible directories
Discovery Timeline
- 2026-05-05 - CVE-2023-54346 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2023-54346
Vulnerability Analysis
The Backup Migration plugin stores generated backup archives in a predictable directory under the WordPress installation. Configuration files and verbose log files reachable over HTTP reveal the directory structure, archive naming convention, and recent backup file names. An unauthenticated attacker requests these auxiliary files, parses them to recover archive paths, and then issues a direct GET request for the backup ZIP. The server returns the archive without performing authentication, capability, or referer checks. The archive typically contains a complete mysqldump of the WordPress database along with wp-config.php and uploaded media.
Root Cause
The root cause is improper access control on backup artifacts and operational metadata. The plugin places backup files inside a web-accessible path and does not enforce server-side authorization or use unguessable, single-use tokens for download URLs. Verbose logs and configuration files disclose enough information to reconstruct the file paths, defeating any reliance on path obscurity.
Attack Vector
Exploitation occurs entirely over the network with no user interaction and no authentication. An attacker first requests the plugin's configuration and log endpoints to enumerate the backup storage location and archive file names. The attacker then issues a direct HTTP GET to the archive URL and receives the full backup file. With the database dump in hand, the attacker can recover password hashes, session tokens, secret keys, and personally identifiable information. Technical details and a proof of concept are documented in the Exploit-DB entry #51445 and the VulnCheck advisory for the Backup Migration plugin.
No verified exploit code is reproduced here. Refer to the linked advisories for technical specifics.
Detection Methods for CVE-2023-54346
Indicators of Compromise
- Unauthenticated HTTP GET requests to /wp-content/backups/ or /wp-content/backup-migration/ paths returning ZIP archives
- Access log entries fetching plugin configuration or log files such as config.php or complete_logs from the backup-backup plugin directory
- Outbound transfers of large ZIP files from the WordPress server to unfamiliar source IPs
- Repeated 200-response downloads of files matching backup naming patterns from a single remote IP
Detection Strategies
- Monitor web server access logs for unauthenticated requests targeting paths under the backup-backup plugin directory.
- Alert on HTTP responses serving .zip, .sql, or .tar.gz files from /wp-content/ to clients lacking an authenticated WordPress session cookie.
- Inspect WAF telemetry for requests containing the strings backup-backup, complete_logs, or known backup file extensions.
Monitoring Recommendations
- Enable verbose access logging on the WordPress front-end web server and forward logs to a centralized analytics platform.
- Track the volume and size of files served from wp-content directories to baseline normal behavior and flag anomalies.
- Review file integrity monitoring alerts for new backup archives created in web-accessible directories.
How to Mitigate CVE-2023-54346
Immediate Actions Required
- Update the Backup Migration plugin to a version later than 1.2.8 that addresses unauthenticated file access.
- Delete or relocate any existing backup archives from web-accessible plugin directories to a path outside the document root.
- Rotate WordPress secret keys, administrative passwords, and database credentials if backups may have been downloaded.
Patch Information
Update the plugin from the WordPress.org repository to the latest available release. The vulnerable build is distributed as backup-backup version 1.2.8; install a release that supersedes this version. Review the VulnCheck advisory for vendor-confirmed fixed versions and the Backup Bliss product page for vendor guidance.
Workarounds
- Block public HTTP access to the plugin's backup, configuration, and log paths at the web server or WAF layer until patching is complete.
- Add a Deny from all rule in .htaccess for the plugin's backup storage directory on Apache, or an equivalent location block on Nginx.
- Disable the Backup Migration plugin and remove on-disk backups if an immediate update is not feasible.
# Nginx: deny direct access to plugin backup and log artifacts
location ~* /wp-content/(backups|backup-migration)/ {
deny all;
return 403;
}
location ~* /wp-content/plugins/backup-backup/.*\.(log|sql|zip|tar\.gz)$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
