CVE-2023-53907 is a path traversal vulnerability identified in the Backup Plugin of Bludit CMS versions prior to 3.13.1. The flaw arises from improper validation and limitation of file path parameters in the plugin's file download functionality. Authenticated users with at least limited privileges can manipulate the pathname input to traverse directories and access arbitrary files on the server filesystem beyond the intended backup directory. This vulnerability does not require additional user interaction and can be exploited remotely over the network. The CVSS 4.0 base score of 7.1 reflects a high severity due to network attack vector, low attack complexity, no user interaction, and high impact on confidentiality. The vulnerability affects confidentiality exclusively, allowing unauthorized reading of sensitive files, but does not impact integrity or availability. Although no public exploits have been reported, the vulnerability poses a significant risk of information disclosure, including exposure of credentials, configuration files, or other sensitive data that could facilitate further compromise. The vulnerability was published on December 17, 2025, and affects Bludit Backup Plugin versions before 3.13.1. The recommended remediation is to upgrade to version 3.13.1 or later where the issue is fixed. Additional mitigations include restricting access to the Backup Plugin to trusted users only and implementing monitoring to detect anomalous file access patterns indicative of exploitation attempts.

For European organizations using Bludit CMS with the vulnerable Backup Plugin, this vulnerability could lead to unauthorized disclosure of sensitive information such as configuration files, database credentials, or other critical system files. This exposure can facilitate further attacks including privilege escalation, lateral movement, or data breaches. Organizations in sectors with strict data protection regulations like GDPR may face compliance risks and reputational damage if sensitive data is leaked. The impact is particularly significant for public-facing websites or intranet portals relying on Bludit, as attackers with valid credentials (even low-privilege users) can exploit the flaw remotely. The breach of confidentiality could also affect intellectual property and internal communications. Given the ease of exploitation and network accessibility, the vulnerability represents a substantial risk to the security posture of affected European entities.

1. Immediately update the Bludit Backup Plugin to version 3.13.1 or later where the vulnerability is patched. 2. Restrict access to the Backup Plugin functionality to only trusted and necessary users, minimizing the number of authenticated accounts with plugin access. 3. Implement strict input validation and sanitization on file path parameters if custom modifications or alternative plugins are used. 4. Monitor web server and application logs for unusual file access patterns or attempts to traverse directories, focusing on requests to the Backup Plugin endpoints. 5. Employ web application firewalls (WAFs) with rules designed to detect and block directory traversal attempts targeting the plugin. 6. Conduct regular security audits and vulnerability scans on Bludit installations to identify outdated or vulnerable components. 7. Educate administrators and users about the risks of using outdated plugins and the importance of applying security updates promptly.