CVE-2023-54346

HIGH

WordPress Plugin Backup Migration 1.2.8 Unauthenticated Database Backup Download

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-54346. PoCs published by Wadeek.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated database backup disclosure vulnerability in WordPress Plugin Backup Migration 1.2.8. It outlines steps to retrieve the backup directory name and download the backup archive without authentication.

Description

WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers can enumerate backup directories through configuration files and complete logs, then construct direct download URLs to retrieve sensitive backup archives containing full database dumps.

Exploits (1)

exploitdb WORKING POC

by Wadeek · textwebappsphp

https://www.exploit-db.com/exploits/51445

View Code ZIP pw:eip

This exploit demonstrates an unauthenticated database backup disclosure vulnerability in WordPress Plugin Backup Migration 1.2.8. It outlines steps to retrieve the backup directory name and download the backup archive without authentication.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin Backup Migration 1.2.8

No auth needed

Prerequisites: Access to the target WordPress site · Plugin version 1.2.8 installed

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 05, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-51445

https://www.exploit-db.com/exploits/51445

Product product

Official Product Homepage

https://backupbliss.com/

Product product

Product Reference

https://downloads.wordpress.org/plugin/backup-backup.1.2.8.zip

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Plugin Backup Migration 1.2.8 Unauthenticated Database Backup Download

https://www.vulncheck.com/advisories/wordpress-plugin-backup-migration-unauthenticated-database-backup-download

Scores

CVSS v3 7.5

EPSS 0.0031

EPSS Percentile 22.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-538

Status published

Products (1)

Backupbliss/WordPress Plugin Backup Migration 1.2.8

Published May 05, 2026

Tracked Since May 05, 2026