CVE-2024-31254 – WordPress WordPress Backup & Migration plugin <= 1.4.7 - Sensitive Data Exposure via Log File vulnerability
https://notcve.org/view.php?id=CVE-2024-31254
Insertion of Sensitive Information into Log File vulnerability in WebToffee WordPress Backup & Migration.This issue affects WordPress Backup & Migration: from n/a through 1.4.7. The WordPress Backup & Migration plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.7 via log files. This makes it possible for unauthenticated attackers to extract sensitive data from log files. • https://patchstack.com/database/vulnerability/wp-migration-duplicator/wordpress-wordpress-backup-migration-plugin-1-4-7-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVE-2023-45636 – WordPress Backup & Migration <= 1.4.1 - Missing Authorization to Settings and Schedule Modification
https://notcve.org/view.php?id=CVE-2023-45636
The WordPress Backup & Migration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wt_save_settings and save_schedule functions in versions up to, and including, 1.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify plugin settings or the cron schedule. • CWE-862: Missing Authorization •
CVE-2023-33928 – WordPress Backup & Migration <= 1.4.0 - Missing Authorization via wt_delete_schedule
https://notcve.org/view.php?id=CVE-2023-33928
The WordPress Backup & Migration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wt_delete_schedule' AJAX function in versions up to, and including, 1.4.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the migration schedule cron. • CWE-862: Missing Authorization •