Backup Migration
by WordPress
Source repositories
CVEs (15)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-6553 | Cri | 0.75 | 9.8 | 0.98 | Dec 15, 2023 | The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that… | ||
| CVE-2023-6972 | Cri | 0.57 | 9.8 | 0.01 | Dec 23, 2023 | The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.9 via the 'content-backups' and 'content-name', 'content-manifest', or 'content-bmitmp' and 'content-identy' HTTP headers. This makes it possible for… | ||
| CVE-2023-6971 | Hig | 0.53 | 8.1 | 0.06 | Dec 23, 2023 | The Backup Migration plugin for WordPress is vulnerable to Remote File Inclusion in versions 1.0.8 to 1.3.9 via the 'content-dir' HTTP header. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. NOTE:… | ||
| CVE-2026-39480 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Sensitive Data Exposure in Backup Migration <= 2.1.1 versions. | ||
| CVE-2023-54346 | Hig | 0.49 | 7.5 | 0.00 | May 5, 2026 | WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers can enumerate backup directories through configuration files and… | ||
| CVE-2023-6266 | Hig | 0.49 | 7.5 | 0.02 | Jan 11, 2024 | The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of the handle_downloading function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated… | ||
| CVE-2023-6271 | Hig | 0.49 | 7.5 | 0.01 | Jan 1, 2024 | The Backup Migration WordPress plugin before 1.3.6 stores in-progress backups information in easy to find, publicly-accessible files, which may allow attackers monitoring those to leak sensitive information from the site's backups. | ||
| CVE-2023-7002 | Hig | 0.43 | 7.2 | 0.46 | Dec 23, 2023 | The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all versions up to, and including, 1.3.9 via the 'url' parameter. This vulnerability allows authenticated attackers, with administrator-level permissions and above, to execute arbitrary commands… | ||
| CVE-2021-24994 | Med | 0.40 | 6.1 | 0.01 | Feb 28, 2022 | The Migration, Backup, Staging WordPress plugin before 0.9.69 does not have authorisation when adding remote storages, and does not sanitise as well as escape a parameter from such unauthenticated requests before outputting it in admin page, leading to a Stored Cross-Site… | ||
| CVE-2025-12394 | Med | 0.38 | 5.9 | 0.00 | Nov 24, 2025 | The Backup Migration WordPress plugin before 2.0.0 does not properly generate its backup path in certain server configurations, allowing unauthenticated users to fetch a log that discloses the backup filename. The backup archive is then downloadable without authentication. | ||
| CVE-2023-5738 | Med | 0.35 | 5.4 | 0.00 | Nov 27, 2023 | The WordPress Backup & Migration WordPress plugin before 1.4.4 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks. | ||
| CVE-2024-32686 | Med | 0.34 | 5.3 | 0.00 | Apr 18, 2024 | Insertion of Sensitive Information into Log File vulnerability in Inisev Backup Migration.This issue affects Backup Migration: from n/a through 1.4.3. | ||
| CVE-2021-36884 | Med | 0.31 | 4.8 | 0.01 | Nov 19, 2021 | Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered in WordPress Backup Migration plugin <= 1.1.5 versions. | ||
| CVE-2024-3546 | Med | 0.28 | 4.3 | 0.00 | May 2, 2024 | The WordPress Backup & Migration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wp_mgdp_populate_popup function in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with… | ||
| CVE-2023-5737 | Med | 0.28 | 4.3 | 0.00 | Nov 27, 2023 | The WordPress Backup & Migration WordPress plugin before 1.4.4 does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings. |
- risk 0.75cvss 9.8epss 0.98
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that…
- risk 0.57cvss 9.8epss 0.01
The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.9 via the 'content-backups' and 'content-name', 'content-manifest', or 'content-bmitmp' and 'content-identy' HTTP headers. This makes it possible for…
- risk 0.53cvss 8.1epss 0.06
The Backup Migration plugin for WordPress is vulnerable to Remote File Inclusion in versions 1.0.8 to 1.3.9 via the 'content-dir' HTTP header. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. NOTE:…
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Sensitive Data Exposure in Backup Migration <= 2.1.1 versions.
- risk 0.49cvss 7.5epss 0.00
WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers can enumerate backup directories through configuration files and…
- risk 0.49cvss 7.5epss 0.02
The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of the handle_downloading function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated…
- risk 0.49cvss 7.5epss 0.01
The Backup Migration WordPress plugin before 1.3.6 stores in-progress backups information in easy to find, publicly-accessible files, which may allow attackers monitoring those to leak sensitive information from the site's backups.
- risk 0.43cvss 7.2epss 0.46
The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all versions up to, and including, 1.3.9 via the 'url' parameter. This vulnerability allows authenticated attackers, with administrator-level permissions and above, to execute arbitrary commands…
- risk 0.40cvss 6.1epss 0.01
The Migration, Backup, Staging WordPress plugin before 0.9.69 does not have authorisation when adding remote storages, and does not sanitise as well as escape a parameter from such unauthenticated requests before outputting it in admin page, leading to a Stored Cross-Site…
- risk 0.38cvss 5.9epss 0.00
The Backup Migration WordPress plugin before 2.0.0 does not properly generate its backup path in certain server configurations, allowing unauthenticated users to fetch a log that discloses the backup filename. The backup archive is then downloadable without authentication.
- risk 0.35cvss 5.4epss 0.00
The WordPress Backup & Migration WordPress plugin before 1.4.4 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks.
- risk 0.34cvss 5.3epss 0.00
Insertion of Sensitive Information into Log File vulnerability in Inisev Backup Migration.This issue affects Backup Migration: from n/a through 1.4.3.
- risk 0.31cvss 4.8epss 0.01
Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered in WordPress Backup Migration plugin <= 1.1.5 versions.
- risk 0.28cvss 4.3epss 0.00
The WordPress Backup & Migration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wp_mgdp_populate_popup function in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with…
- risk 0.28cvss 4.3epss 0.00
The WordPress Backup & Migration WordPress plugin before 1.4.4 does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings.