CVE-2023-6972 : The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all

The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.9 via the 'content-backups' and 'content-name', 'content-manifest', or 'content-bmitmp' and 'content-identy' HTTP headers. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.

Published 2023-12-23 02:15:45

Updated 2023-12-29 06:21:33

Source Wordfence

View at NVD, CVE.org

Vulnerability category: Directory traversalExecute code

Products affected by CVE-2023-6972

Backupbliss » Backup Migration » For Wordpress
Versions before (<) 1.4.0
cpe:2.3:a:backupbliss:backup_migration:*:*:*:*:*:wordpress:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-6972

EPSS FAQ

3.77%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 87 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-6972

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	3.9	3.6	Wordfence
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2023-6972

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2023-6972

https://plugins.trac.wordpress.org/changeset/3012745/backup-backup

Changeset 3012745 for backup-backup – WordPress Plugin Repository
Patch

CVEs referencing this url
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/bypasser.php

429 Too Many Requests
Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/0a3ae696-f67d-4ed2-b307-d2f36b6f188c?source=cve

Backup Migration <= 1.3.9 - Unauthenticated Path Traversal to Arbitrary File Deletion
Patch;Third Party Advisory
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/backup-heart.php

backup-heart.php in backup-backup/tags/1.3.9/includes – WordPress Plugin Repository
Patch

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-6972

Products affected by CVE-2023-6972

Exploit prediction scoring system (EPSS) score for CVE-2023-6972

CVSS scores for CVE-2023-6972

CWE ids for CVE-2023-6972

References for CVE-2023-6972