CVE-2024-12330 (GCVE-0-2024-12330)

Vulnerability from cvelistv5 – Published: 2025-01-09 11:10 – Updated: 2025-01-09 14:46
VLAI?
Summary
The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.3 via publicly accessible back-up files. This makes it possible for unauthenticated attackers to extract sensitive data including all information stored in the database.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-530 - Exposure of Backup File to an Unauthorized Control Sphere
Assigner
References
Impacted products
Vendor Product Version
databasebackup WP Database Backup – Unlimited Database & Files Backup by Backup for WP Affected: * , ≤ 7.3 (semver)
Create a notification for this product.
Credits
Noah Stead
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-12330",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-09T14:46:15.526542Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-09T14:46:23.200Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "WP Database Backup \u2013 Unlimited Database \u0026 Files Backup by Backup for WP",
          "vendor": "databasebackup",
          "versions": [
            {
              "lessThanOrEqual": "7.3",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Noah Stead"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The WP Database Backup \u2013 Unlimited Database \u0026 Files Backup by Backup for WP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.3 via publicly accessible back-up files. This makes it possible for unauthenticated attackers to extract sensitive data including all information stored in the database."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-530",
              "description": "CWE-530 Exposure of Backup File to an Unauthorized Control Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-09T11:10:56.083Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f36839b-850e-4c39-aa61-4fd7a89cd5bc?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3209380%40wp-database-backup\u0026new=3209380%40wp-database-backup\u0026sfp_email=\u0026sfph_mail="
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3209387%40wp-database-backup\u0026new=3209387%40wp-database-backup\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-01-08T00:00:00.000+00:00",
          "value": "Disclosed"
        }
      ],
      "title": "WP Database Backup \u2013 Unlimited Database \u0026 Files Backup by Backup for WP \u003c= 7.3 - Unauthenticated Database Back-Up Exposure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2024-12330",
    "datePublished": "2025-01-09T11:10:56.083Z",
    "dateReserved": "2024-12-06T21:53:14.478Z",
    "dateUpdated": "2025-01-09T14:46:23.200Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The WP Database Backup \\u2013 Unlimited Database \u0026 Files Backup by Backup for WP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.3 via publicly accessible back-up files. This makes it possible for unauthenticated attackers to extract sensitive data including all information stored in the database.\"}, {\"lang\": \"es\", \"value\": \"El complemento WP Database Backup \\u2013 Unlimited Database y Files Backup de Backup para WP para WordPress es vulnerable a la exposici\\u00f3n de informaci\\u00f3n confidencial en todas las versiones hasta la 7.3 incluida a trav\\u00e9s de archivos de respaldo de acceso p\\u00fablico. Esto permite que atacantes no autenticados extraigan datos confidenciales, incluida toda la informaci\\u00f3n almacenada en la base de datos.\"}]",
      "id": "CVE-2024-12330",
      "lastModified": "2025-01-09T11:15:13.090",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security@wordfence.com\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2025-01-09T11:15:13.090",
      "references": "[{\"url\": \"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3209380%40wp-database-backup\u0026new=3209380%40wp-database-backup\u0026sfp_email=\u0026sfph_mail=\", \"source\": \"security@wordfence.com\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3209387%40wp-database-backup\u0026new=3209387%40wp-database-backup\u0026sfp_email=\u0026sfph_mail=\", \"source\": \"security@wordfence.com\"}, {\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/3f36839b-850e-4c39-aa61-4fd7a89cd5bc?source=cve\", \"source\": \"security@wordfence.com\"}]",
      "sourceIdentifier": "security@wordfence.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security@wordfence.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-530\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-12330\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2025-01-09T11:15:13.090\",\"lastModified\":\"2025-01-09T11:15:13.090\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The WP Database Backup \u2013 Unlimited Database \u0026 Files Backup by Backup for WP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.3 via publicly accessible back-up files. This makes it possible for unauthenticated attackers to extract sensitive data including all information stored in the database.\"},{\"lang\":\"es\",\"value\":\"El complemento WP Database Backup \u2013 Unlimited Database y Files Backup de Backup para WP para WordPress es vulnerable a la exposici\u00f3n de informaci\u00f3n confidencial en todas las versiones hasta la 7.3 incluida a trav\u00e9s de archivos de respaldo de acceso p\u00fablico. Esto permite que atacantes no autenticados extraigan datos confidenciales, incluida toda la informaci\u00f3n almacenada en la base de datos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-530\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3209380%40wp-database-backup\u0026new=3209380%40wp-database-backup\u0026sfp_email=\u0026sfph_mail=\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3209387%40wp-database-backup\u0026new=3209387%40wp-database-backup\u0026sfp_email=\u0026sfph_mail=\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/3f36839b-850e-4c39-aa61-4fd7a89cd5bc?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-12330\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-09T14:46:15.526542Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-09T14:46:18.757Z\"}}], \"cna\": {\"title\": \"WP Database Backup \\u2013 Unlimited Database \u0026 Files Backup by Backup for WP \u003c= 7.3 - Unauthenticated Database Back-Up Exposure\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Noah Stead\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"}}], \"affected\": [{\"vendor\": \"databasebackup\", \"product\": \"WP Database Backup \\u2013 Unlimited Database \u0026 Files Backup by Backup for WP\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"7.3\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-01-08T00:00:00.000+00:00\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/3f36839b-850e-4c39-aa61-4fd7a89cd5bc?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3209380%40wp-database-backup\u0026new=3209380%40wp-database-backup\u0026sfp_email=\u0026sfph_mail=\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3209387%40wp-database-backup\u0026new=3209387%40wp-database-backup\u0026sfp_email=\u0026sfph_mail=\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The WP Database Backup \\u2013 Unlimited Database \u0026 Files Backup by Backup for WP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.3 via publicly accessible back-up files. This makes it possible for unauthenticated attackers to extract sensitive data including all information stored in the database.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-530\", \"description\": \"CWE-530 Exposure of Backup File to an Unauthorized Control Sphere\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2025-01-09T11:10:56.083Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-12330\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-09T14:46:23.200Z\", \"dateReserved\": \"2024-12-06T21:53:14.478Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2025-01-09T11:10:56.083Z\", \"assignerShortName\": \"Wordfence\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.