CVE-2024-12330
Published: 09 January 2025
Description
The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.3 via publicly accessible back-up files. This makes it possible for unauthenticated attackers to extract sensitive data including all information stored in the database.
Security Summary
CVE-2024-12330 is a sensitive information exposure vulnerability (CWE-530) affecting the WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress, in all versions up to and including 7.3. The issue stems from publicly accessible backup files, which expose all information stored in the database. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity by directly accessing the publicly exposed backup files. Successful exploitation allows extraction of sensitive data, including the entire database contents, potentially encompassing user credentials, personal information, and other confidential site data.
Advisories from Wordfence and WordPress plugin trac repositories detail mitigation through updating the plugin, with fix commits available in changesets 3209380 and 3209387. Security practitioners should verify installations of the plugin, ensure backups are not publicly accessible, and apply updates immediately to versions beyond 7.3.
Details
- CWE(s)