Introduction
A single unauthenticated HTTP request chain against the WordPress Backup Migration plugin can hand an attacker a complete copy of your site's database, including user credentials, session tokens, and every piece of stored content. With over 90,000 active installations, CVE-2023-54346 represents a significant exposure across the WordPress ecosystem.
The Backup Migration plugin, developed by BackupBliss, provides WordPress administrators with tools to create, schedule, and manage site backups. It is one of the more popular backup solutions in the WordPress plugin directory, and its broad adoption means that a vulnerability of this nature has a wide blast radius. The plugin's relevance extends beyond individual sites; managed hosting providers and agencies frequently deploy it across client portfolios.
Technical Information
CVE-2023-54346 is classified under CWE-538: Insertion of Sensitive Information into Externally Accessible File or Directory. The root cause is straightforward: the plugin stores its configuration files, operational logs, and backup archives in directories that are directly accessible over HTTP, with no authentication or authorization checks enforced at the web server or application level.
Specifically, the plugin writes a config.json file and a complete_logs.log file into the /wp-content/backup-migration/ directory. The config.json file contains the randomized directory name used for backup storage, along with the site administrator's email address. The complete_logs.log file records the exact filenames of created backup archives. The backup archives themselves are stored in a subdirectory following the pattern /wp-content/backup-migration-[random_string]/backups/.
While the directory name includes a random string component, this randomness provides no security because the configuration file that reveals it is itself publicly accessible. The entire security model collapses once an attacker reads config.json.
Attack Flow
The publicly documented exploit (EDB-51445) demonstrates a four step unauthenticated attack chain:
Step 1: Version Fingerprinting. The attacker sends a GET request to the plugin's readme.txt to confirm that a vulnerable version (1.2.8 or older) is installed.
Step 2: Configuration Exposure. The attacker requests the config.json file, which reveals the randomized backup storage directory name and the administrator's email address.
Step 3: Log Enumeration. The attacker requests the complete_logs.log file, which contains the exact filenames of all backup archives that have been created.
Step 4: Backup Exfiltration. Using the directory name from Step 2 and the archive filename from Step 3, the attacker constructs a direct download URL and retrieves the full database backup.
The request sequence looks like this:
GET /wp-content/plugins/backup-backup/readme.txt GET /wp-content/backup-migration/config.json GET /wp-content/backup-migration/complete_logs.log GET /wp-content/backup-migration-[random_string]/backups/BM_Backup_[date]_[time]_[random_string].zip
No authentication is required at any step. The entire chain can be automated trivially, and the resulting ZIP archive contains a full database dump. For a typical WordPress installation, this means user tables with hashed passwords, email addresses, post content, plugin configuration data, and potentially stored API keys or other secrets.
Detection Methods
Because the attack chain follows a very specific multi step HTTP request pattern, there are several practical ways to detect exploitation in progress or after the fact.
Web Server Access Log Analysis
The most effective detection approach centers on monitoring web server access logs (Apache, Nginx, or WAF logs) for unauthenticated HTTP GET requests to the following paths:
/wp-content/plugins/backup-backup/readme.txt(version fingerprinting)/wp-content/backup-migration/config.json(configuration exposure)/wp-content/backup-migration/complete_logs.log(log enumeration)/wp-content/backup-migration-<random>/backups/<backup_filename>.zip(backup exfiltration)
A single request to any of these paths from an unauthenticated user is suspicious. The strong indicator of active exploitation is observing sequential requests from the same source IP hitting these endpoints in order, often within a short time window. Security teams should build log correlation rules or SIEM queries that flag this pattern.
Web Application Firewall (WAF) Monitoring
Configure WAF rules to block or alert on unauthenticated access to the /wp-content/backup-migration/ directory tree. Pay special attention to requests for .json, .log, and .zip files within that path hierarchy. HTTP 200 responses for these requests to unauthenticated users are strong indicators of a vulnerable configuration or active exploitation.
Network Level Indicators
Monitor for unusually large outbound HTTP responses from your WordPress server, particularly from paths containing backup-migration. A successful backup exfiltration produces a response containing a full ZIP archive of the database, which is significantly larger than typical web traffic. Anomaly detection on response sizes for requests to the wp-content directory can help catch this activity.
WordPress Level Detection
Verify whether the Backup Migration plugin is present at version 1.2.8 or below by checking the plugin's readme.txt file or the WordPress admin panel. If the vulnerable version is detected, immediately verify whether the config.json and complete_logs.log files are publicly accessible, which would confirm the exposure.
Reconnaissance Detection
The public exploit includes a Google dork for finding exposed instances, combining directory listing titles for /wp-content/plugins/backup-backup with corresponding URL patterns. Inbound traffic with Google referrer headers pointing to such searches may indicate that your site has been discovered through reconnaissance.
No dedicated Sigma rules, YARA rules, or IDS/Snort signatures specifically for CVE-2023-54346 were identified in verified public sources.
Affected Systems and Versions
The vulnerability affects the WordPress Backup Migration plugin in the following versions:
| Plugin Version | Status |
|---|---|
| 1.2.8 and all older versions | Vulnerable to CVE-2023-54346 (Information Disclosure) |
| 1.2.9 | Patched for CVE-2023-54346 |
| 1.3.7 | Patched for CVE-2023-54346 but vulnerable to CVE-2023-6553 (Remote Code Execution) |
| 1.3.8 | Patched for CVE-2023-6553 |
| 2.1.5.1 | Current stable release |
Any WordPress installation running the Backup Migration plugin (slug: backup-backup) at version 1.2.8 or earlier is affected. The plugin is available through the official WordPress plugin directory and has over 90,000 active installations.
Vendor Security History
BackupBliss, the developer of the Backup Migration plugin, has a notable security track record. Following the information disclosure vulnerability in version 1.2.8, a separate critical vulnerability was discovered in version 1.3.7. That flaw, tracked as CVE-2023-6553, allowed unauthenticated remote code execution and carried a CVSS score of 9.8. Wordfence reported actively blocking attacks targeting that RCE vulnerability.
The presence of two high severity unauthenticated vulnerabilities discovered within a relatively short timeframe in the same plugin is a pattern worth noting. Organizations that rely on this plugin should maintain automated update policies and consider additional monitoring around the plugin's file paths.
References
- CVE Record: CVE-2023-54346
- VulnCheck Advisory: WordPress Plugin Backup Migration 1.2.8 Unauthenticated Database Backup Download
- Wordfence: Backup Migration <= 1.2.8 Sensitive Information Exposure
- Exploit-DB: WordPress Plugin Backup Migration 1.2.8 (EDB-51445)
- BackupBliss Vendor Site
- Backup Migration Plugin on WordPress.org
- Acunetix: WordPress Plugin Backup Migration Information Disclosure 1.2.8
- Wordfence: Backup Migration <= 1.3.7 Unauthenticated Remote Code Execution
- WordPress Plugin Archive: backup-backup 1.2.8
