CVE-2024-2294

Name of the Vulnerable Software and Affected Versions The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress versions up to, and including, 1.2.7

Description The issue allows attackers with an account that has only the activate plugins capability to access arbitrary files on the server, potentially containing sensitive information, via a Directory Traversal vulnerability. This is possible through the backup name parameter in the backuply download backup function. The vulnerability only affects sites hosted on Windows servers.

Recommendations For versions up to, and including, 1.2.7, consider disabling the backuply download backup function until a patch is available to prevent exploitation. Restrict access to sensitive files on the server to minimize the risk of information disclosure. Avoid using the backup name parameter in the affected function until the issue is resolved.