CVE-2025-12394 is an information exposure vulnerability identified in the Backup Migration WordPress plugin prior to version 2.0.0. The root cause lies in the plugin's failure to correctly generate the backup path under certain server configurations, which leads to the creation of a log file accessible without authentication. This log file discloses the backup filename, which an unauthenticated attacker can use to directly download the backup archive. The backup archive typically contains sensitive website data, including content, configurations, and potentially user information. The vulnerability is categorized under CWE-200 (Information Exposure), indicating that sensitive information is leaked to unauthorized parties. The CVSS v3.1 score is 5.9 (medium severity), with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, meaning the attack is network-based, requires high attack complexity, no privileges or user interaction, and impacts confidentiality only. The vulnerability does not affect data integrity or availability. Exploitation depends on specific server configurations that improperly handle file paths, which may not be common but are plausible in certain hosting environments. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The plugin is widely used in WordPress environments for backup and migration tasks, making this a relevant threat for websites relying on it for data protection.

For European organizations, the exposure of backup archives can lead to significant confidentiality breaches, including leakage of sensitive corporate data, customer information, and intellectual property. Since backups often contain comprehensive snapshots of websites and databases, unauthorized access could facilitate further attacks such as identity theft, fraud, or targeted phishing campaigns. Although the vulnerability does not directly affect system integrity or availability, the loss of confidentiality can damage organizational reputation and lead to regulatory non-compliance, especially under GDPR requirements. Organizations relying on WordPress and the Backup Migration plugin for their web infrastructure are at risk, particularly those with sensitive or regulated data. The medium severity rating reflects the need for timely remediation but also acknowledges the higher complexity of exploitation. The lack of authentication requirement increases risk, but the necessity of specific server misconfigurations somewhat limits widespread exploitation. Nonetheless, the potential impact on data privacy and compliance is substantial.

1. Upgrade the Backup Migration plugin to version 2.0.0 or later as soon as it becomes available, as this will address the improper backup path generation issue. 2. Restrict access to backup directories and log files at the web server level using .htaccess rules or equivalent configurations to prevent unauthenticated access. 3. Audit server configurations to ensure that file path handling and permissions do not allow unauthorized file retrieval, especially for backup and log files. 4. Implement web application firewalls (WAF) with rules to detect and block suspicious requests attempting to access backup files or logs. 5. Regularly monitor web server logs for unusual access patterns targeting backup or log files. 6. Educate site administrators on secure plugin management and the importance of timely updates. 7. Consider isolating backup storage locations outside the web root or using secure storage services with strict access controls. 8. Conduct periodic security assessments to identify similar path traversal or information disclosure issues in other plugins or custom code.