VYPR

Backup Migration

by WordPress

Source repositories

CVEs (15)

  • CVE-2023-6553CriDec 15, 2023
    risk 0.75cvss 9.8epss 0.98

    The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that…

  • CVE-2023-6972CriDec 23, 2023
    risk 0.57cvss 9.8epss 0.01

    The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.9 via the 'content-backups' and 'content-name', 'content-manifest', or 'content-bmitmp' and 'content-identy' HTTP headers. This makes it possible for…

  • CVE-2023-6971HigDec 23, 2023
    risk 0.53cvss 8.1epss 0.06

    The Backup Migration plugin for WordPress is vulnerable to Remote File Inclusion in versions 1.0.8 to 1.3.9 via the 'content-dir' HTTP header. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. NOTE:…

  • CVE-2026-39480HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Sensitive Data Exposure in Backup Migration <= 2.1.1 versions.

  • CVE-2023-54346HigMay 5, 2026
    risk 0.49cvss 7.5epss 0.00

    WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers can enumerate backup directories through configuration files and…

  • CVE-2023-6266HigJan 11, 2024
    risk 0.49cvss 7.5epss 0.02

    The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of the handle_downloading function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated…

  • CVE-2023-6271HigJan 1, 2024
    risk 0.49cvss 7.5epss 0.01

    The Backup Migration WordPress plugin before 1.3.6 stores in-progress backups information in easy to find, publicly-accessible files, which may allow attackers monitoring those to leak sensitive information from the site's backups.

  • CVE-2023-7002HigDec 23, 2023
    risk 0.43cvss 7.2epss 0.46

    The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all versions up to, and including, 1.3.9 via the 'url' parameter. This vulnerability allows authenticated attackers, with administrator-level permissions and above, to execute arbitrary commands…

  • CVE-2021-24994MedFeb 28, 2022
    risk 0.40cvss 6.1epss 0.01

    The Migration, Backup, Staging WordPress plugin before 0.9.69 does not have authorisation when adding remote storages, and does not sanitise as well as escape a parameter from such unauthenticated requests before outputting it in admin page, leading to a Stored Cross-Site…

  • CVE-2025-12394MedNov 24, 2025
    risk 0.38cvss 5.9epss 0.00

    The Backup Migration WordPress plugin before 2.0.0 does not properly generate its backup path in certain server configurations, allowing unauthenticated users to fetch a log that discloses the backup filename. The backup archive is then downloadable without authentication.

  • CVE-2023-5738MedNov 27, 2023
    risk 0.35cvss 5.4epss 0.00

    The WordPress Backup & Migration WordPress plugin before 1.4.4 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks.

  • CVE-2024-32686MedApr 18, 2024
    risk 0.34cvss 5.3epss 0.00

    Insertion of Sensitive Information into Log File vulnerability in Inisev Backup Migration.This issue affects Backup Migration: from n/a through 1.4.3.

  • CVE-2021-36884MedNov 19, 2021
    risk 0.31cvss 4.8epss 0.01

    Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered in WordPress Backup Migration plugin <= 1.1.5 versions.

  • CVE-2024-3546MedMay 2, 2024
    risk 0.28cvss 4.3epss 0.00

    The WordPress Backup & Migration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wp_mgdp_populate_popup function in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with…

  • CVE-2023-5737MedNov 27, 2023
    risk 0.28cvss 4.3epss 0.00

    The WordPress Backup & Migration WordPress plugin before 1.4.4 does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings.