CVE-2025-12394 is a vulnerability classified under CWE-200 (Information Exposure) affecting the Backup Migration WordPress plugin versions before 2.0.0. The root cause lies in the plugin's failure to correctly generate the backup path in certain server environments, which leads to the creation of a log file accessible without authentication. This log file reveals the exact filename of the backup archive. Since the backup archive itself is stored in a location accessible via the web server, an attacker can use the disclosed filename to download the backup archive without any authentication or user interaction. This backup archive may contain sensitive website data, including database dumps, configuration files, and user information, leading to a significant confidentiality breach. The vulnerability does not require any privileges or user interaction, making it straightforward to exploit remotely. No CVSS score has been assigned yet, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on October 28, 2025, and published on November 24, 2025. The plugin is widely used in WordPress environments for backup and migration tasks, making this vulnerability relevant to many websites that rely on it for data protection and transfer.

For European organizations, this vulnerability poses a critical risk to data confidentiality. Backup archives often contain comprehensive snapshots of website data, including user information, credentials, and proprietary content. Unauthorized access to these backups can lead to data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and potential financial penalties. Organizations in sectors such as finance, healthcare, e-commerce, and government are particularly vulnerable due to the sensitivity of their data. The ease of exploitation without authentication increases the threat level, as attackers can automate scanning and downloading of backup files from vulnerable sites. Additionally, the exposure of backup filenames can facilitate further targeted attacks or social engineering campaigns. The lack of known exploits in the wild currently limits immediate widespread impact, but the vulnerability's public disclosure increases the risk of future exploitation. European companies relying on WordPress sites with this plugin should consider the risk of data leakage and potential operational disruption.

The primary mitigation is to upgrade the Backup Migration WordPress plugin to version 2.0.0 or later, where this vulnerability is addressed. Until an update is applied, organizations should implement strict access controls on backup directories and logs, ensuring they are not publicly accessible via the web server. Web server configurations (e.g., .htaccess rules for Apache or location blocks for Nginx) should explicitly deny access to backup files and logs. Additionally, organizations should audit their backup storage locations to confirm that sensitive files are stored outside the web root or protected by authentication mechanisms. Regularly monitoring web server logs for suspicious access attempts to backup files can help detect exploitation attempts. Employing a Web Application Firewall (WAF) with rules to block unauthorized access to backup-related URLs can provide an additional layer of defense. Finally, organizations should review their incident response plans to quickly address any potential data exposure resulting from this vulnerability.