CVE-2025-12394

The Backup Migration WordPress plugin versions before 2.0.0 contain a vulnerability where the backup path is not properly generated under certain server configurations. This flaw allows an unauthenticated attacker to access a log file that discloses the filename of the most recent backup archive [1].

Exploitation requires no authentication or special privileges; an attacker can simply request the log file to obtain the backup filename, then use that information to directly download the backup archive from the server [1]. The lack of access controls on both the log and the backup file makes this a straightforward path to data exposure.

The impact is significant: the downloaded backup archive typically contains the entire WordPress installation, including database credentials, user data, uploaded files, and configuration settings. With this information, an attacker could potentially compromise the site, exfiltrate sensitive data, or gain persistent access [1].

The vulnerability has been fixed in version 2.0.0 of the plugin. Users running an earlier version should update immediately to prevent potential exploitation [1].