CVE-2024-9290

CRITICAL

Super Backup & Clone - Migrate <2.3.3 - RCE

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-9290. PoCs published by Jenderal92, RandomRobbieBF.

AI-analyzed exploit summary This exploit targets a file upload vulnerability in the Super Backup & Clone WordPress plugin (CVE-2024-9290), allowing arbitrary PHP file uploads to `/wp-content/uploads/isnapshots/`. It uses multi-threading to process multiple targets and logs successful exploits.

Description

The Super Backup & Clone - Migrate for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and a missing capability check on the ibk_restore_migrate_check() function in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploits (2)

nomisec WORKING POC 1 stars

by Jenderal92 · poc

https://github.com/Jenderal92/CVE-2024-9290

View Code ZIP pw:eip

This exploit targets a file upload vulnerability in the Super Backup & Clone WordPress plugin (CVE-2024-9290), allowing arbitrary PHP file uploads to `/wp-content/uploads/isnapshots/`. It uses multi-threading to process multiple targets and logs successful exploits.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Super Backup & Clone WordPress plugin

No auth needed

Prerequisites: List of target URLs · Python 2.7 · requests library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by RandomRobbieBF · poc

https://github.com/RandomRobbieBF/CVE-2024-9290

View Code ZIP pw:eip

This PoC demonstrates an unauthenticated arbitrary file upload vulnerability in the Super Backup & Clone - Migrate for WordPress plugin (CVE-2024-9290). The exploit leverages a missing capability check and file type validation in the `ibk_restore_migrate_check()` function to upload a malicious PHP file, leading to potential remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Super Backup & Clone - Migrate for WordPress <= 2.3.3

No auth needed

Prerequisites: Access to the target WordPress site's admin-ajax.php endpoint

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Various Sources

https://codecanyon.net/item/super-backup-clone-migrate-for-wordpress/12943030

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/7c31d9b3-38b1-49a1-b361-ffe97e02bff0?source=cve

Scores

CVSS v3 9.8

EPSS 0.0355

EPSS Percentile 87.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

azzaroco/Super Backup & Clone - Migrate for WordPress < 2.3.3

Published Dec 13, 2024

Tracked Since Feb 18, 2026