CVE-2023-6271 – The Backup Migration WordPress plugin before ve... (How to Fix)

Q: What is the severity of CVE-2023-6271?

CVE-2023-6271 has a CVSS score of 7.5 (HIGH). The Backup Migration WordPress plugin before version 1.3.6 stores in-progress backup information in publicly accessible files, allowing unauthenticated attackers to monitor and leak sensitive data from site backups. This affects all WordPress sites using vulnerable versions of the plugin.

📋 TL;DR

The Backup Migration WordPress plugin before version 1.3.6 stores in-progress backup information in publicly accessible files, allowing unauthenticated attackers to monitor and leak sensitive data from site backups. This affects all WordPress sites using vulnerable versions of the plugin.

💻 Affected Systems

Products:

Backup Migration WordPress plugin

Versions: All versions before 1.3.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable plugin versions installed and activated.

📦 What is this software?

Backup Migration by Backupbliss

View all CVEs affecting Backup Migration →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full control of the WordPress site by extracting sensitive backup data including database credentials, admin sessions, and configuration files.

🟠

Likely Case

Unauthenticated attackers exfiltrate sensitive backup data containing database content, user information, and site configuration.

🟢

If Mitigated

Limited information disclosure if backups contain minimal sensitive data and proper access controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept exploit code is publicly available and requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.6

Vendor Advisory: https://wordpress.org/plugins/backup-backup/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Backup Migration plugin. 4. Click 'Update Now' if available, or manually update to version 1.3.6 or later.

🔧 Temporary Workarounds

Disable plugin temporarily

all

Deactivate the Backup Migration plugin until patched

wp plugin deactivate backup-backup

Block access to backup files

linux

Add .htaccess rules to block public access to backup directories

Add to .htaccess: Order Deny,Allow
Deny from all

🧯 If You Can't Patch

Disable the Backup Migration plugin immediately
Implement web application firewall rules to block access to backup file paths

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Backup Migration version number

Check Version:

wp plugin get backup-backup --field=version

Verify Fix Applied:

Verify plugin version is 1.3.6 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to backup file paths
Multiple failed attempts to access backup directories

Network Indicators:

HTTP requests to backup-related file paths from external IPs

SIEM Query:

source="web_logs" AND (uri_path="/wp-content/backup*" OR uri_path="/wp-content/uploads/backup*")

📊 Metadata

CVE ID: CVE-2023-6271

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Published: January 1, 2024

Last Updated: June 11, 2025

🔗 References

https://research.cleantalk.org/cve-2023-6271-backup-migration-unauth-sensitive-data-exposure-to-full-control-of-the-site-poc-exploit Exploit,Third Party Advisory
https://wpscan.com/vulnerability/7ac217db-f332-404b-a265-6dc86fe747b9 Exploit,Third Party Advisory
https://research.cleantalk.org/cve-2023-6271-backup-migration-unauth-sensitive-data-exposure-to-full-control-of-the-site-poc-exploit Exploit,Third Party Advisory
https://wpscan.com/vulnerability/7ac217db-f332-404b-a265-6dc86fe747b9 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON