Headline

CVE-2021-36884: Backup Migration

Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered in WordPress Backup Migration plugin <= 1.1.5 versions.

2 years ago

CVE

Open in Source

#sql #xss #vulnerability #web #google #microsoft #amazon #java

Details
Reviews
Installation
Support
Development

Creating a backup of your site has never been easier!

Simply install the plugin, click on “Create backup now” – done.

Try it out on your free dummy site: Click here => https://tastewp.com/plugins/backup-backup.

You can also schedule backups, e.g. define that a backup should be taken automatically every week (or every day/month).

Use a wide choice of configuration options:

Define exactly which files / databases should be in the backup, which not
Define where the backup will be stored (as of now, only local option is available, but we’ll expand this soon)
Define what name your backup should have, in which instances you should receive a notification email, and much more

This plugin is all in one solution if you need to migrate your site to another host or just restore the local backup.

Note: This (free) version is limited to backups of 2GB in size. For unlimited sizes, please have a look at the Premium Plugin.

If any questions come up, please ask us in the Support Forum – we’re always happy to help!

Admin Installer via search

Visit the Add New plugin screen and select “Author” from the dropdown near search input
Search for “Migrate”
Find “Backup Migration” and click the “Install Now” button.
Activate the plugin.
The plugin should be shown below settings menu.

Admin Installer via zip

Visit the Add New plugin screen and click the “Upload Plugin” button.
Click the “Browse…” button and select the zip file of our plugin.
Click “Install Now” button.
Once uploading is done, activate Backup Migration.
The plugin should be shown below the settings menu.

How do I create my first backup?

Click on “Create backup now” on the settings page of the Backup Migration plugin.

Backup Migration will by default create a backup that contains everything from your site, except the Backup Migration plugin’s own backups and WordPress installation – if you want to include the WordPress installation as well, tick the checkbox in the section “What will be backed up?”.

You can download backup or migrate your backup (use the plugin as a WordPress duplicator) immediately after the backup has been created.

How do I restore a backup?

If your backup is located on your site: Go to the Backup Migration plugin screen, then to the Manage & Restore Backup(s) tab where you have your backups list, click on the Restore button next to the backup you would like to restore.
If your backup is located on another site: Go to the Backup Migration plugin screen on site #1, then to the Manage & Restore Backup(s) tab where you have the backups list, click on the “Copy Link”-button in the “Actions”-column. Go to the Backup Migration plugin screen on site #2, then to the Manage & Restore Backup(s) tab, click on “Super-quick migration”, paste the copied link, and hit the “Restore now!” button. This process will first import backup then restore it, i.e. Backup Migrate also serves as backup importer.
If your backup is located on another device: Go to the Backup Migration plugin screen, then to the Manage & Restore Backup(s) tab, and click on the “Upload backup files” button. After the upload, click on the Restore button next to the backup you would like to restore.

How do I migrate or clone my site?

Migrate (or clone) a WordPress site by creating a full backup on the site that you want to migrate (clone) – site #1.

To transfer website directly from site #1 to site #2: Go to the Backup Migration plugin screen on site #1, then to the Manage & Restore Backup(s) tab where you have the backups list, click on the Copy Link button in the Actions column. Go to the Backup Migration plugin screen on site #1, then to the Manage & Restore Backup(s) tab, click on “Super-quick migration”, paste the copied link, and hit the “Restore now!” button. Make sure that the backup file on site #1 is accessible by setting “Accessible via direct link?” to “Yes” in the plugin section “Where shall the backup(s) be stored?”
To migrate the website indirectly: Go to the Backup Migration plugin screen, then to the Manage & Restore Backup(s) tab, and click on the “Upload backup files” button. After the upload, click on the Restore button next to the backup you would like to restore.

Where can I find my backups?

Backup Migration allows you to download backups, migrate backups, or delete backups directly from the plugin screen Manage & Restore Backup(s). By default, the migrator plugin will store a backup to /wordpress/wp-content/backup-migration but you can change the backup location to anywhere you please.

How to run automatic backups?

Enabling automatic backups is done on the Backup Migration plugin’s home screen, just next to the “Create backup now!” button. Auto backup can run on a monthly, weekly, or daily basis. You can set the exact time (and day) and how many automatic backups would you like to keep in the same Backup Migration plugin section. We recommend that you optimize the number of backups that will be kept according to available space.

How big are backup files?

Backup file size depends on the criteria you select on the “What will be backed up?” section of the Backup Migration plugin. There you can see file/folder size calculations as you Save your settings. Usually, WordPress’ Uploads folder is the heaviest, while Databases are the lightest. If you are looking to save up space, you might want to deselect Plugins and WordPress installation folders, as you can usually download those anytime from WP sources.

Is the backup creation and site migration free?

Yes. You can create full site backups, automatic backups, and migrate your site (duplicate site) free of charge. Backup Migration Pro provides more sophisticated filters and selections of files that will be included/excluded from backups (affecting backup size), faster backup creation times, number of external backup storage locations, backup encryption, backup file compression methods, advanced backup triggers, additional backup notifications by email, priority support, and more.

Is cloud backup available?

Backup to cloud are some of the upcoming features, that will be available,
In Free version: Google Drive, FTP, Amazon S3, Rackspace, DreamObjects, Openstack and
In Premium version: Google cloud, SFTP/SCP, Microsoft Azure, OneDrive, Backblaze, and more.

How are you better than other backup/migration plugins?

Besides having the most intuitive interface and smoothest user experience, Backup Migration plugin will always strive to give you more than any competitor:
– Updraftplus: They charge for migration, with our plugin it’s free;
– All-in-One WP Migration: In the free version, compared to our plugin – they don’t have selective/partial backups; they lack advanced options and each external storage is on a separate extension plugin; they have no automatic backups;
– Duplicator: In the free version, compared to our plugin – they have no selective backups, exclusion rules, no automatic backups and no migration;
– WPvivid: In the free version, compared to our plugin – they don’t have selective/partial backups, exclusion rules, or automatic backups;
– BackWPup: In the free version, compared to our plugin – they lack restore options, backups are slower, automatic backups are dependant on wp cron;
– Backup Guard: In the free version, compared to our plugin – they have no selective backups, exclusion rules; no direct migration;
– XCloner: Automatic backups are dependant on wp cron; full restore not available on a local server;
– Total Upkeep: They lack the advanced selective backups and exclusion rules, lacks a monthly backup schedule

Superb plugin. Recommended!!!

Alles was es braucht in der Free-Version! Top!

It is simply the best back-up/migration plugin of all. Do not look for any other, really.

This is a nice plugin. Backups are fast and the plugin is easy to use.

Easy to use and works great.

Don’t overlook the need to backup or migrate your site. It will save you time, anxiety, and money. And this plugin makes it easy. thank you!

Read all 169 reviews

“Backup Migration” is open source software. The following people have contributed to this plugin.

Contributors

migrate

1.1.6

Plugin tested with PHP 8.1
Plugin tested with WP Version 5.8.2
Fixed PHP CLI for sites above 2 GB (premium)
Modified default settings for new users, to solve most common issues
Modified default query output to 500 per batch, to solve most common database issue
Fixed undefined variables of zipping module (PHP 7.4+)
Fixed backups made with PHP CLI when the ZIP wasn’t closed correctly
Visual updates for our cool banner
Super-Quick Migration now should work with PHP CLI
Now WordPress version will be displayed in the logs
Fixed English typo in logs “enginge” => “engine”
Added additional sanitization for e-mail, e-mail title and directory (Thank you @Vlad Visse (Patchstack))
Added version tag

1.1.5

Fixed typos in tooltip about queries
Modified default value of queries

1.1.4

Tested up to WordPress 5.8.1
Fixed warnings in PHP 8 and adjusted ob_clean functions (Thank you @jrevillini)
Added force stop for restoration and migration process
Added force stop for backup process (troubleshooting option)
Added splitting option for restore and migration process
Fixed STEP display in process window for restore and backup
Adjusted logs output for restore and backup process
Updated database engine for export and import using new technique
Added new option to specify export queries per file and restore batch
Implemented splitting n into CLI restoration (disabled by default)

1.1.3

Fixed PHP CLI migration process (in case of different table prefix)
Restricted access to global logs
Restricted access to backup logs
Added censor for backup name in all log files
Added censor for sensitive details in global log and others
Randomize folder name for each site, it will rename old directory as well
Backup hash name will be now extended up to 16 characters including A-z
Decreased default database batch size to 250 from 2500 queries
Added constant ABSPATH for exclusion rules
Tested up to WordPress 5.8

1.1.2

Added new option which allow to specify own PHP CLI path
Added possibility to disable PHP CLI for both restore and backup process
Fixed output data restore process – should not hang up on success
Fixed output data for backup process – should not hang up on success as well
Added batching for restore process, should extend execution time
Increased batch size for huge sites up to 40k files per batch
Increased default max size of batch from 60 MB to 96 MB
Fixed issues with PHP CLI when the output was not correct
Added possibility to download live log of restore process (useful when it hang up)
Restore process now can calculate file amount before extraction
Added secret keys for restore process – should be much more secure now
Added batching for database export, plugin should use maximum execution time now
Removed debug information in console log (should be in 1.1.1)
Added batching for files extraction during restore process
Restore process now shows extraction progress – the process is slower because of it but more stable
Fixed PHP CLI for premium users where the site is too large
Fixed SuperQuick Migration via PHP CLI – now the process should continue automatically
Added notice logging into restore process
Now restore process will continue on notice like uninitialized classname
Fixed issue when restore process hangs up (5.6 – 7.4 PHP versions) due to uninitialized classname

1.1.1

Modified restore safe limit calculation for better performance
Fixed issues with restore on PHP 8
Fixed database restore issues, when the database is damaged
Adjusted database parser for older MySQL versions
Updated storage front-end UX

1.1.0

Fully tested with WordPress 5.7.2
Fixed rare notices and warnings of PHP 8
New database engine for restore and backup process
Rewritten find and replace method for database migration
Changed default configuration settings
Added “insecure download” option for LiteSpeed Web Servers
Added possibility to run backup or restore process via shell (PHP CLI aka WP CLI)
Increased support for free users up to 2 GB size of site.
Final files now will be included in the last batch (for cURL and Browser method)
Update of success modals (restore & backup)
New smart PHP CLI detection tool, it will check for valid PHP executable binary file
Plugin now requires at least PHP CLI of 5.6 version – for older it will run legacy methods
Fixed automatic backup issue when it was impossible to disable with plugin’s options
Increased stability of hick-ups screens, false positives should not happen now
Added full support for ZipArchive add-on
Super-Quick Migration now can run as PHP CLI process (download can’t be aborted by Web Server now)
Backups created with this version are not supported by older versions of this plugin
Backups created with older versions can be restored with this version (1.1.0) and above
Newly created backups should not cause fatal errors if they were aborted / killed during restore
Hardly excluded wp-config.php from backup, can be restored only manually if needed
Fixed error “Tried to allocate xxx bytes” during migration & backup (tested up to 650 MB database size)
Excluded other plugins from Backup Migration plugin error log
Optimized logging for global logs of Backup Migration log – file should be smaller now
Added new settings in “Other Options” section
If restore fail the temporary files should be fully cleaned up now

1.0.9

Fixed issue of v1.0.8 [Automatic backups does not work]
Fixed issue of v1.0.8 [Download of backup does not work]

1.0.8

Added warnings for huge files (above 60 MB)
Increased timeout limit
Now plugin will ignore server abort command (should help in some cases)
Progress bar won’t show the counter if file count isn’t known
Increased default memory to (minimum: 384 MB)
Added smart chunker for bigger sites (now it’s possible to have chunks of 2500 files)
Improved performance of the backups (should be much faster for sites 3000+ files)
Database import is now memory friendly (database size can be really big, without error)
Database export is also chunked for better stability of the backup
Support for page builders – now cloned site should be perfect mirror
Quick Migration: Removed timeout for huge files (should download full file now)
Added better memory calculator, mostly improvement for shared hostings.
Fixed issues on SunOS with free space calculator.
Added support for installations not inside root (e.g. domain.tld, domain.tld/wordpress)
Fixed issue when your database contains ‘-‘ character (fetch() function)
Fixed PclZip issue i.e. “requires at least 18 bytes”
Fixed BMI\Plugin\Zipper\finfo_open() error
Premium: Replaced PclZip with more stable & dedicated edition of this module
Premium: Improved performance of the core overall (smaller size to decrypt)
Since now only site Administrator can manage backups by default
Added permission “do_backups” – users with this permissions
Added new option “Bypass server limits”
Added support for ZipArchive (only when some bypass function is enabled)
Added support for PHP Cli – it will be preferred option now