Backup Migration WordPress Plugin Unauthenticated Backup Download Vulnerability

A vulnerability exists in the Backup Migration WordPress plugin in versions prior to 2.0.0. The plugin fails to correctly generate backup paths in certain server configurations, allowing unauthenticated users to access a log file that reveals the backup filename. This log file can be used to download the backup archive without authentication.

Impact

Exploitation of this vulnerability leads to unauthorized access to backup files, which may contain sensitive information.

Reproduction

The vulnerability can be reproduced under specific server configurations. After logging in as a WordPress administrator, navigate to the Backup Migration plugin panel and create a backup. Once the backup is complete, a log file named 'latest.log' is generated in the 'wp-content/backup-migration/backups/' directory. This log file, accessible to unauthenticated users, contains the name of the newly created backup file. The backup can then be downloaded using the filename provided in the log.

Remediation

Users are advised to update the Backup Migration WordPress plugin to version 2.0.0 or later.