CVE-2025-12394

Summary

The Backup Migration WordPress plugin before 2.0.0 does not properly generate its backup path in certain server configurations, allowing unauthenticated users to fetch a log that discloses the backup filename. The backup archive is then downloadable without authentication.

Affected Software

VendorProductVersion RangeStatus
UnknownBackup Migration0 < 2.0.0affected

Weaknesses

  • CWE-200 Information Exposure

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References