CVE-2023-6972 in Backup Migration Plugin
Summary
by MITRE • 12/23/2023
The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.9 via the 'content-backups' and 'content-name', 'content-manifest', or 'content-bmitmp' and 'content-identy' HTTP headers. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/11/2026
The Backup Migration plugin for WordPress presents a critical path traversal vulnerability that affects all versions up to and including 1.3.9. This flaw exists within the plugin's handling of specific HTTP headers, namely 'content-backups' and 'content-name', 'content-manifest', or 'content-bmitmp' and 'content-identy', creating a significant security risk for WordPress installations that utilize this backup solution. The vulnerability stems from inadequate input validation and sanitization mechanisms that fail to properly restrict file system access when processing these headers, allowing attackers to manipulate file paths and gain unauthorized access to critical system files.
The technical implementation of this vulnerability allows unauthenticated attackers to exploit the path traversal flaw through carefully crafted HTTP requests that manipulate the affected headers. When the plugin processes these headers without proper validation, it can interpret user-supplied input as legitimate file system paths, enabling attackers to traverse directory structures and access files outside the intended scope. This weakness directly maps to CWE-22 Path Traversal vulnerabilities, which are classified as a fundamental security flaw in software applications that fail to properly validate or sanitize user input before using it in file system operations. The vulnerability enables attackers to perform arbitrary file deletion operations, including the critical wp-config.php file that contains database credentials and other sensitive configuration data.
The operational impact of this vulnerability extends beyond simple file deletion capabilities to encompass complete site takeover and potential remote code execution scenarios. When attackers can delete the wp-config.php file, they effectively remove the WordPress installation's database connection information and security keys, rendering the site inoperable and allowing for complete administrative control. This vulnerability can be exploited by attackers to gain persistent access to compromised WordPress installations, making it particularly dangerous for websites that rely on this plugin for backup operations. The lack of authentication requirements means that any attacker can exploit this vulnerability, regardless of their access level to the WordPress site, and the potential for remote code execution through subsequent exploitation makes this a high-severity threat that aligns with ATT&CK technique T1059.001 for command and scripting interpreter usage.
Organizations using the Backup Migration plugin must implement immediate mitigations to protect their WordPress installations from this vulnerability. The primary recommendation involves upgrading to the latest version of the plugin where the path traversal flaw has been patched and properly addressed. System administrators should also implement network-level protections such as web application firewalls that can detect and block malicious requests targeting the affected headers. Additionally, monitoring for unusual file deletion patterns and unauthorized access attempts should be implemented to detect potential exploitation attempts. Security teams should conduct thorough vulnerability assessments to ensure that no other plugins or components within the WordPress ecosystem are susceptible to similar path traversal issues, as this vulnerability demonstrates the critical importance of proper input validation and secure file system access controls in web applications.