Vulnerabilities and security researches forbackup-backup backup-backup

Direction: ascending

Jun 07, 2024

Backup Migration # CVE-2021-36884

CVE, Research URL: CVE-2021-36884
Home page URL: Security reports for Backup Migration
Application: Backup Migration
Date: Nov 20, 2021
Research Description: Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered in WordPress Backup Migration plugin <= 1.1.5 versions.
Affected versions: max 1.1.6.
Status: vulnerable

Backup Migration # CVE-2023-0958

CVE, Research URL: CVE-2023-0958
Home page URL: Security reports for Backup Migration
Application: Backup Migration
Date: Jul 28, 2023
Research Description: Several plugins for WordPress by Inisev are vulnerable to unauthorized installation of plugins due to a missing capability check on the handle_installation function that is called via the inisev_installation AJAX aciton in various versions. This makes it possible for authenticated attackers with minimal permissions, such as subscribers, to install select plugins from Inisev on vulnerable sites. CVE-2023-38514 appears to be a duplicate of this vulnerability.
Affected versions: max 1.2.8.
Status: vulnerable

Backup Migration # CVE-2023-3977

CVE, Research URL: CVE-2023-3977
Home page URL: Security reports for Backup Migration
Application: Backup Migration
Date: Jul 28, 2023
Research Description: Several plugins for WordPress by Inisev are vulnerable to Cross-Site Request Forgery to unauthorized installation of plugins due to a missing nonce check on the handle_installation function that is called via the inisev_installation AJAX aciton in various versions. This makes it possible for unauthenticated attackers to install plugins from the limited list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 1.2.9.
Status: vulnerable

Backup Migration # CVE-2023-6266

CVE, Research URL: CVE-2023-6266
Home page URL: Security reports for Backup Migration
Application: Backup Migration
Date: Jan 11, 2024
Research Description: The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of the handle_downloading function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to download back-up files which can contain sensitive information such as user passwords, PII, database credentials, and much more.
Affected versions: max 1.3.7.
Status: vulnerable

Backup Migration # CVE-2023-6553

CVE, Research URL: CVE-2023-6553
Home page URL: Security reports for Backup Migration
Application: Backup Migration
Date: Dec 15, 2023
Research Description: The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.
Affected versions: max 1.3.8.
Status: vulnerable

Backup Migration # CVE-2023-6271

CVE, Research URL: CVE-2023-6271
Home page URL: Security reports for Backup Migration
Application: Backup Migration
Date: Jan 01, 2024
Research Description: The Backup Migration WordPress plugin before 1.3.6 stores in-progress backups information in easy to find, publicly-accessible files, which may allow attackers monitoring those to leak sensitive information from the site's backups.
Affected versions: max 1.3.6.
Status: vulnerable

Backup Migration # CVE-2023-6971

CVE, Research URL: CVE-2023-6971
Home page URL: Security reports for Backup Migration
Application: Backup Migration
Date: Dec 23, 2023
Research Description: The Backup Migration plugin for WordPress is vulnerable to Remote File Inclusion in versions 1.0.8 to 1.3.9 via the 'content-dir' HTTP header. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. NOTE: Successful exploitation of this vulnerability requires that the target server's php.ini is configured with 'allow_url_include' set to 'on'. This feature is deprecated as of PHP 7.4 and is disabled by default, but can still be explicitly enabled in later versions of PHP.
Affected versions: Min 1.0.8, max 1.3.9.
Status: vulnerable

Backup Migration # CVE-2023-6972

CVE, Research URL: CVE-2023-6972
Home page URL: Security reports for Backup Migration
Application: Backup Migration
Date: Dec 23, 2023
Research Description: The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.9 via the 'content-backups' and 'content-name', 'content-manifest', or 'content-bmitmp' and 'content-identy' HTTP headers. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.
Affected versions: max 1.4.0.
Status: vulnerable

Backup Migration # CVE-2023-7002

CVE, Research URL: CVE-2023-7002
Home page URL: Security reports for Backup Migration
Application: Backup Migration
Date: Dec 23, 2023
Research Description: The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all versions up to, and including, 1.3.9 via the 'url' parameter. This vulnerability allows authenticated attackers, with administrator-level permissions and above, to execute arbitrary commands on the host operating system.
Affected versions: max 1.3.0.
Status: vulnerable

Backup Migration # CVE-2024-32686

CVE, Research URL: CVE-2024-32686
Home page URL: Security reports for Backup Migration
Application: Backup Migration
Date: Apr 18, 2024
Research Description: Insertion of Sensitive Information into Log File vulnerability in Inisev Backup Migration.This issue affects Backup Migration: from n/a through 1.4.3.
Affected versions: max 1.4.4.
Status: vulnerable

Backup Migration # CVE-2024-31435

CVE, Research URL: CVE-2024-31435
Home page URL: Security reports for Backup Migration
Application: Backup Migration
Date: -
Research Description: Backup Migration [backup-backup] < 1.4.2 CVE-2024-31435
Affected versions: max 1.4.2.
Status: vulnerable

Jan 05, 2025

Backup Migration # CVE-2024-10932

CVE, Research URL: CVE-2024-10932
Home page URL: Security reports for Backup Migration
Application: Backup Migration
Date: Jan 04, 2025
Research Description: The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site in order to trigger the exploit.
Affected versions: max 1.4.6.1.
Status: vulnerable

Backup Migration # CVE-2023-38514

CVE, Research URL: CVE-2023-38514
Home page URL: Security reports for Backup Migration
Application: Backup Migration
Date: Dec 13, 2024
Research Description: Missing Authorization vulnerability in social share pro Social Share Icons & Social Share Buttons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Social Share Icons & Social Share Buttons: from n/a through 3.5.7.
Affected versions: max 1.3.0.
Status: vulnerable

Dec 10, 2025

Backup Migration # CVE-2025-12394

CVE, Research URL: CVE-2025-12394
Home page URL: Security reports for Backup Migration
Application: Backup Migration
Date: Nov 24, 2025
Research Description: The Backup Migration WordPress plugin before 2.0.0 does not properly generate its backup path in certain server configurations, allowing unauthenticated users to fetch a log that discloses the backup filename. The backup archive is then downloadable without authentication.
Affected versions: max 2.0.0.
Status: vulnerable

Apr 13, 2026

Backup Migration # CVE-2025-14944

CVE, Research URL: CVE-2025-14944
Home page URL: Security reports for Backup Migration
Application: Backup Migration
Date: Apr 07, 2026
Research Description: The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion.
Affected versions: max 2.1.0.
Status: vulnerable

Apr 23, 2026

Backup Migration # PSC-2026-64646

PSC, Research URL: PSC-2026-64646
Home page URL: Security reports for Backup Migration
Application: Backup Migration
Date: Apr 23, 2026
Research Description: Backup and migration plugins sit on one of the most sensitive trust boundaries in WordPress because they routinely interact with site files, database contents, archive generation and extraction, and sometimes remote storage or cross-site transfer flows. A weakness in this class of plugin can quickly translate into unauthorized data exposure, integrity loss during restore operations, or abuse of privileged backup management features. Backup Migration version 2.1.5.1 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64646, confirming that the plugin was reviewed from a secure code perspective with attention to the most common exploitation paths for backup, restore, migration, and staging plugins.
Affected versions: Min 2.1.5.1, max 2.1.5.1.
Status: SAFE & CERTIFIED

Apr 27, 2026

Backup Migration # CVE-2026-39480

CVE, Research URL: CVE-2026-39480
Home page URL: Security reports for Backup Migration
Application: Backup Migration
Date: -
Research Description: Backup Migration [backup-backup] < 2.1.2 CVE-2026-39480
Affected versions: max 2.1.2.
Status: vulnerable