VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 14 known issues Latest disclosed Apr 08, 2026

Backup Migration Vulnerabilities

Review known vulnerability records for the WordPress plugin Backup Migration (`backup-backup`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-39480, CVE-2025-14944 and CVE-2025-12394, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
14
High or Critical
9
Patch Coverage
100%
Last Updated
Apr 15, 2026
Priority CVE Quick Links

Fast paths into Backup Migration CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
12
CVE-2023-6972 Critical 1.4.0
CVE-2023-6972 Backup Migration Remote Code Execution

Backup Migration <= 1.3.9 - Unauthenticated Path Traversal to Arbitrary File Deletion

CVE-2023-6553 Critical 1.3.8
CVE-2023-6553 Backup Migration Remote Code Execution

Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution

CVE-2023-6271 Critical 1.3.6
CVE-2023-6271 Backup Migration Sensitive Information Exposure

Backup Migration <= 1.3.5 - Unauthenticated Sensitive Information Exposure

CVE-2024-10932 High 1.4.6.1
CVE-2024-10932 Backup Migration Vulnerability

Backup Migration <= 1.4.6 - Unauthenticated PHP Object Injection via 'recursive_unserialize_replace'

CVE-2023-6971 High 1.4.0
CVE-2023-6971 Backup Migration Vulnerability

Backup Migration 1.0.8 - 1.3.9 - Remote File Inclusion via content-dir

CVE-2025-12394 High 2.0.0
CVE-2025-12394 Backup Migration Sensitive Information Exposure

Backup Migration <= 1.4.9 - Information Exposure to Unauthenticated Back-up Download

CVE-2023-6266 High 1.3.7
CVE-2023-6266 Backup Migration Sensitive Information Exposure

Backup Migration <= 1.3.6 - Unauthenticated Arbitrary Backup Download to Sensitive Information Exposure

CVE-2023-7002 High 1.4.0
CVE-2023-7002 Backup Migration Vulnerability

Backup Migration <= 1.3.9 - Authenticated (Admin+) OS Command Injection via url

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Backup Migration so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
14 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
3 critical and 6 high severity findings.
Recent CVEs
CVE-2026-39480, CVE-2025-14944 and CVE-2025-12394
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Backup Migration

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-39480
CVE-2026-39480: BackupBliss – Backup & Migration with Free Cloud Storage <= 2.1.1 - Unauthenticated Information Exposure

The BackupBliss – Backup & Migration with Free Cloud Storage plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.1. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

Published
Apr 08, 2026
Patched Release
2.1.2
Affected Versions
Versions up to 2.1.1
Next Step
Update to 2.1.2 or newer if supported.
Open CVE-2026-39480 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-14944
CVE-2025-14944: Backup Migration <= 2.0.0 - Missing Authorization to Unauthenticated Backup Upload to Offline Storage

The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates again...

Published
Apr 06, 2026
Patched Release
2.1.0
Affected Versions
Versions up to 2.0.0
Next Step
Update to 2.1.0 or newer if supported.
Open CVE-2025-14944 Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-12394
CVE-2025-12394: Backup Migration <= 1.4.9 - Information Exposure to Unauthenticated Back-up Download

The Backup Migration plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via an exposed log file containing paths to backups. This makes it possible for unauthenticated attackers to extract sensitive data including file...

Published
Nov 03, 2025
Patched Release
2.0.0
Affected Versions
Versions up to 1.4.9
Next Step
Update to 2.0.0 or newer if supported.
Open CVE-2025-12394 Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-10932
CVE-2024-10932: Backup Migration <= 1.4.6 - Unauthenticated PHP Object Injection via 'recursive_unserialize_replace'

The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP...

Published
Jan 03, 2025
Patched Release
1.4.6.1
Affected Versions
Versions up to 1.4.6
Next Step
Update to 1.4.6.1 or newer if supported.
Open CVE-2024-10932 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-32686
CVE-2024-32686: Backup Migration <= 1.4.3 - Information Exposure via Log Files

The Backup Migration plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.3 via log files. This makes it possible for unauthenticated attackers to extract potentially sensitive information via log files.

Published
Apr 17, 2024
Patched Release
1.4.4
Affected Versions
Versions up to 1.4.3
Next Step
Update to 1.4.4 or newer if supported.
Open CVE-2024-32686 Report Open CVE Reference
Plugin High Patched: Yes CVE-2023-7002
CVE-2023-7002: Backup Migration <= 1.3.9 - Authenticated (Admin+) OS Command Injection via url

The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all versions up to, and including, 1.3.9 via the 'url' parameter. This vulnerability allows authenticated attackers, with administrator-level permissions and above, to execute arbitrary commands on...

Published
Dec 22, 2023
Patched Release
1.4.0
Affected Versions
Versions up to 1.3.9
Next Step
Update to 1.4.0 or newer if supported.
Open CVE-2023-7002 Report Open CVE Reference
Plugin High Patched: Yes CVE-2023-6971
CVE-2023-6971: Backup Migration 1.0.8 - 1.3.9 - Remote File Inclusion via content-dir

The Backup Migration plugin for WordPress is vulnerable to Remote File Inclusion in versions 1.0.8 to 1.3.9 via the 'content-dir' HTTP header. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. NOTE: Successful...

Published
Dec 22, 2023
Patched Release
1.4.0
Affected Versions
1.0.8 through 1.3.9
Next Step
Update to 1.4.0 or newer if supported.
Open CVE-2023-6971 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2023-6972
CVE-2023-6972: Backup Migration <= 1.3.9 - Unauthenticated Path Traversal to Arbitrary File Deletion

The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.9 via the 'content-backups' and 'content-name', 'content-manifest', or 'content-bmitmp' and 'content-identy' HTTP headers. This makes it possible for unauthenticate...

Published
Dec 22, 2023
Patched Release
1.4.0
Affected Versions
Versions up to 1.3.9
Next Step
Update to 1.4.0 or newer if supported.
Open CVE-2023-6972 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2023-6553
CVE-2023-6553: Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that t...

Published
Dec 11, 2023
Patched Release
1.3.8
Affected Versions
Versions up to 1.3.7
Next Step
Update to 1.3.8 or newer if supported.
Open CVE-2023-6553 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2023-6271
CVE-2023-6271: Backup Migration <= 1.3.5 - Unauthenticated Sensitive Information Exposure

The Backup Migration plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5. This makes it possible for unauthenticated attackers to extract database backups leading to the potential for a complete site takeover.

Published
Dec 07, 2023
Patched Release
1.3.6
Affected Versions
Versions up to 1.3.5
Next Step
Update to 1.3.6 or newer if supported.
Open CVE-2023-6271 Report Open CVE Reference
Plugin High Patched: Yes CVE-2023-6266
CVE-2023-6266: Backup Migration <= 1.3.6 - Unauthenticated Arbitrary Backup Download to Sensitive Information Exposure

The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of the handle_downloading function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated at...

Published
Nov 30, 2023
Patched Release
1.3.7
Affected Versions
Versions up to 1.3.6
Next Step
Update to 1.3.7 or newer if supported.
Open CVE-2023-6266 Report Open CVE Reference
Plugin Medium Patched: Yes
Backup Migration <= 1.2.9 - Cross-Site Request Forgery

The Backup Migration plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.9. This is due to missing nonce validation on the ajax() function, or BMI_Ajax class. This makes it possible for unauthenticated attackers to control any of...

Published
Sep 05, 2023
Patched Release
1.3.0
Affected Versions
Versions before 1.3.0
Next Step
Update to 1.3.0 or newer if supported.
Open Full Report