WordPress Plugin Vulnerability Report – Backup Migration – Unauthenticated Arbitrary File Download to Sensitive Information Exposure – CVE-2023-6266

Plugin Name: Backup Migration

Key Information:

  • Software Type: Plugin
  • Software Slug: backup-backup
  • Software Status: Active
  • Software Author: migrate
  • Software Downloads: 1,025,584
  • Active Installs: 90,000
  • Last Updated: November 30, 2023
  • Patched Versions: 1.3.7
  • Affected Versions: <= 1.3.6

Vulnerability Details:

  • Name: Backup Migration <= 1.3.6 - Unauthenticated Arbitrary File Download to Sensitive Information Exposure
  • Title: Unauthenticated Arbitrary File Download to Sensitive Information Exposure
  • Type: Information Exposure
  • CVE: CVE-2023-6266
  • CVSS Score: 7.5 (High)
  • Publicly Published: November 30, 2023
  • Researcher: Rafshanzani Suhada
  • Description: The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of the handle_downloading function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to download back-up files which can contain sensitive information such as user passwords, PII, database credentials, and much more.


The Backup Migration plugin for WordPress has a vulnerability in versions up to and including 1.3.6 that allows unauthenticated arbitrary file download potentially exposing sensitive information. This vulnerability has been patched in version 1.3.7.

Detailed Overview:

Researcher Rafshanzani Suhada discovered an information exposure vulnerability in the Backup Migration plugin that allows any unauthenticated user to download sensitive backup files from affected WordPress sites. This is made possible due to insufficient validation of paths and files in the BMI_BACKUP case of the handle_downloading function prior to version 1.3.7. By exploiting this, an attacker could gain access to backup archives containing confidential data like passwords, personally identifiable information, database credentials, and more. This represents a significant security risk for WordPress sites running vulnerable versions of the widely used Backup Migration plugin.

Advice for Users:

  1. Immediate Action: Update to version 1.3.7 or higher as soon as possible.
  2. Check for Signs of Vulnerability: Review server access logs for any evidence of exploit attempts.
  3. Alternate Plugins: Consider alternative backup plugins like BackWPup or UpdraftPlus as a precaution.
  4. Stay Updated: Enable automatic background updates in WordPress to ensure plugins stay updated.


The prompt update released by the Backup Migration developers addresses a serious unauthenticated arbitrary file download vulnerability. Users should upgrade to version 1.3.7 immediately to prevent confidential data exposure. This incident highlights the critical importance of timely security updates for popular WordPress plugins.




Detailed Report:

Keeping your WordPress website secure should be a top priority – but with plugins and themes constantly needing updates, it can be a challenging task. Unfortunately, leaving your site outdated opens the door for cybercriminals to exploit vulnerabilities and compromise your data.

Case in point: a high severity security flaw was recently publicly disclosed in versions up to and including 1.3.6 of the popular Backup Migration plugin, used by over 90,000 WordPress sites. This plugin allows easy migration and backup of WordPress sites.

The vulnerability enables any unauthenticated remote attacker to download sensitive backup archives containing passwords, personal information, database credentials, and other confidential data. This is made possible due to insufficient validation of paths and files in the handle_downloading function of the plugin prior to version 1.3.7.

If exploited, this vulnerability gives attackers access to complete backups of vulnerable sites, including sensitive information like:

  • Usernames and passwords
  • Customer data and personal information
  • Payment details
  • Database credentials
  • Website source code and configuration data

This represents a critical security risk for any business relying on WordPress. Leaked passwords could lead to admin access and site takeovers. Stolen customer data ruins trust and enables identity theft.

There have been 5 previous vulnerabilities found in Backup Migration since November 2021, underscoring the importance of prompt security updates from plugin developers.

To mitigate this specific flaw, WordPress site owners using Backup Migration should immediately update to version 1.3.7 or higher, which addresses the arbitrary file download vulnerability. Be sure automatic background updates are enabled to maintain security going forward.

Review your server access logs to check for any evidence of exploit attempts targeting backup archives. As a precaution, also consider transitioning to alternative backup solutions such as BackWPup or UpdraftPlus.

This vulnerability highlights why small business owners on WordPress cannot afford to ignore security updates. Schedule regular reviews to check all your plugins, themes, PHP versions, and WordPress core files are fully updated. Alternatively, contact our team for help auditing and securing your website. Don’t take chances when it comes to unpatched security flaws - a data breach could critically damage your business.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WordPress Plugin Vulnerability Report – Backup Migration – Unauthenticated Arbitrary File Download to Sensitive Information Exposure – CVE-2023-6266 FAQs

Leave a Comment