High severity7.5NVD Advisory· Published May 5, 2026· Updated May 5, 2026

CVE-2023-54346

Description

WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers can enumerate backup directories through configuration files and complete logs, then construct direct download URLs to retrieve sensitive backup archives containing full database dumps.

Affected products

WordPress/Backup Backupinferred
Range: =1.2.8
Package: https://wordpress.org/plugins/backup-backup

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

backupbliss.comnvd
downloads.wordpress.org/plugin/backup-backup.1.2.8.zipnvd
www.exploit-db.com/exploits/51445nvd
www.vulncheck.com/advisories/wordpress-plugin-backup-migration-unauthenticated-database-backup-downloadnvd

News mentions

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 6, 2026 to April 12, 2026)
Wordfence Blog · Apr 16, 2026

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000