Lucene search
Dmitrii IgnatyevWPEX-ID:7AC217DB-F332-404B-A265-6DC86FE747B9HistoryDec 08, 2023 - 12:00 a.m.
Backup Migration Staging < 1.3.6 - Sensitive Data Exposure
2023-12-0800:00:00
Dmitrii Ignatyev
40
sensitive data exposure
backup migration
staging
publicly accessible files
database tables
exploit
Description The plugin stores in-progress backups information in easy to find, publicly-accessible files, which may allow attackers monitoring those to leak sensitive information from the site’s backups.
1) Run a backup of the site
2) Notice the following files are all publicly available while the site is being backed up:
./wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_links.sql
./wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_users.sql
./wp-content/plugins/backup-backup/includes/htaccess/db_tables/wp_termmeta.sql
./wp-content/plugins/backup-backup/includes/htaccess/bmi_logs_this_backup.log
(... the list is not exhaustive, virtually every table accessible to the site gets dumped in those log files ...)Related
prion
prion
Design/Logic Flaw
2024-01-01 15:15:00
wpvulndb
wpvulndb
Backup Migration Staging < 1.3.6 - Sensitive Data Exposure
2023-12-08 00:00:00
nvd
nvd
CVE-2023-6271
2024-01-01 15:15:43
cvelist
cvelist
CVE-2023-6271 Backup Migration Staging < 1.3.6 - Sensitive Data Exposure
2024-01-01 14:18:55
cve
cve
CVE-2023-6271
2024-01-01 15:15:43
wordfence
wordfence
AI Score
9.2
Confidence
High
EPSS
0.001
Percentile
44.4%
Related for WPEX-ID:7AC217DB-F332-404B-A265-6DC86FE747B9