CVE-2023-6972
📋 TL;DR
The Backup Migration plugin for WordPress has a path traversal vulnerability that allows unauthenticated attackers to delete arbitrary files via manipulated HTTP headers. This can lead to deletion of critical files like wp-config.php, potentially enabling site takeover and remote code execution. All WordPress sites using this plugin up to version 1.3.9 are affected.
💻 Affected Systems
- Backup Migration WordPress Plugin
📦 What is this software?
Backup Migration by Backupbliss
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise via wp-config.php deletion leading to database credentials exposure, followed by remote code execution and full administrative control of the WordPress site.
Likely Case
Critical file deletion causing site downtime, data loss, and potential credential exposure requiring full site restoration.
If Mitigated
Limited impact with proper file permissions and web application firewall blocking malicious header patterns.
🎯 Exploit Status
Exploitation requires sending HTTP requests with malicious headers to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.0 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3012745/backup-backup
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Backup Migration' plugin. 4. Click 'Update Now' if available, or manually update to version 1.4.0+. 5. Verify update completed successfully.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Backup Migration plugin until patched
wp plugin deactivate backup-backup
Web Application Firewall rule
linuxBlock malicious HTTP headers at WAF or reverse proxy level
# Example nginx rule: location ~* \.php$ { if ($http_content_backups ~* "\.\.") { return 403; } }
🧯 If You Can't Patch
- Implement strict file permissions (wp-config.php should be 400 or 440)
- Deploy web application firewall with path traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Backup Migration version. If version is 1.3.9 or lower, you are vulnerable.Check Version:
wp plugin list --name=backup-backup --field=versionVerify Fix Applied:
Verify plugin version is 1.4.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with 'content-backups', 'content-name', 'content-manifest', 'content-bmitmp', or 'content-identy' headers containing path traversal sequences (../)
Network Indicators:
- Unusual DELETE or POST requests to WordPress backup-related endpoints from unauthenticated sources
SIEM Query:
http.headers:*content-* AND http.headers:*..* AND dest_port:80 OR dest_port:443🔗 References
- https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/backup-heart.php
- https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/bypasser.php
- https://plugins.trac.wordpress.org/changeset/3012745/backup-backup
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0a3ae696-f67d-4ed2-b307-d2f36b6f188c?source=cve
- https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/backup-heart.php
- https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/bypasser.php
- https://plugins.trac.wordpress.org/changeset/3012745/backup-backup
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0a3ae696-f67d-4ed2-b307-d2f36b6f188c?source=cve
