Np3228

**Name of the Vulnerable Software and Affected Versions** Backup Migration plugin for WordPress versions 1.0.8 through 1.3.9 **Description** The issue allows unauthenticated attackers to include remote files on the server, resulting in code execution, via the `content-dir` HTTP header. Successful exploitation requires the target server's php.ini to be configured with `allow url include` set to `on`. This feature is deprecated as of PHP 7.4 and is disabled by default but can still be explicitly enabled in later versions of PHP. **Recommendations** For versions 1.0.8 through 1.3.9, consider disabling the `content-dir` HTTP header until a patch is available. Additionally, ensure the `allow url include` setting in php.ini is set to `off` to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Backup Migration plugin for WordPress versions up to, and including, 1.3.9 **Description** The issue allows unauthenticated attackers to perform Path Traversal via the `content-backups` and `content-name`, `content-manifest`, or `content-bmitmp` and `content-identy` HTTP headers. This enables the deletion of arbitrary files, including the wp-config.php file, potentially leading to site takeover and remote code execution. **Recommendations** For versions up to, and including, 1.3.9, update to a version later than 1.3.9 to resolve the issue. As a temporary workaround, consider restricting access to the `content-backups`, `content-name`, `content-manifest`, `content-bmitmp`, and `content-identy` HTTP headers until a patch is available. Avoid using the affected HTTP headers in the Backup Migration plugin until the issue is resolved.