cleantalk
Vulnerabilities and Security Researches

Backup Migration, CVE-2023-6971

CVE, Research URL

CVE-2023-6971

Home page URL

Security reports for Backup Migration

Application

Backup Migration

Published on
Dec 23, 2023
Research Description
The Backup Migration plugin for WordPress is vulnerable to Remote File Inclusion in versions 1.0.8 to 1.3.9 via the 'content-dir' HTTP header. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. NOTE: Successful exploitation of this vulnerability requires that the target server's php.ini is configured with 'allow_url_include' set to 'on'. This feature is deprecated as of PHP 7.4 and is disabled by default, but can still be explicitly enabled in later versions of PHP.
Affected versions
Min 1.0.8, max 1.3.9.
Status
vulnerable
Previous vulnerability researches
Backup Migration , Apr 23, 2026
Backup Migration (CVE-2025-12394) , Dec 10, 2025
Backup Migration (CVE-2026-39480) , Apr 27, 2026
Backup Migration (CVE-2024-10932) , Jan 05, 2025
Backup Migration (CVE-2023-38514) , Jan 05, 2025
New vulnerability
IDPay Payment Gateway for Woocommerce (CVE-2026-34891) , Apr 27, 2026
Doppler Forms (CVE-2025-9544) , Apr 27, 2026
Acclectic Media Organizer (CVE-2025-48326) , Apr 27, 2026
Contact Form 7 reCAPTCHA (CVE-2025-8280) , Apr 27, 2026
Backup Migration (CVE-2026-39480) , Apr 27, 2026