CVE-2023-7165: 
WordPress vulnerability analysis and mitigation

The JetBackup WordPress plugin before version 2.0.9.9 contains a directory listing vulnerability (CVE-2023-7165) that was discovered and disclosed on November 30, 2023. The vulnerability affects the backup functionality of the plugin and allows malicious actors to access sensitive backup files. A partial fix was initially released in version 2.0.9.6, but the complete fix was implemented in version 2.0.9.9 (WPScan).

The vulnerability stems from the plugin's failure to implement index files to prevent public directory listing of sensitive directories in certain configurations. This oversight allows unauthorized access to the '/wp-content/uploads/jetbackup/*' directory, potentially exposing backup files and logs. The vulnerability has been assigned a CVSS score of 7.5 (High) and is classified as a Sensitive Data Disclosure issue, falling under the OWASP Top 10 category A3: Sensitive Data Exposure and CWE-200 (WPScan).

The vulnerability allows malicious actors to access and download backup files and logs stored in the JetBackup directory. Even after the partial fix in version 2.0.9.6, attackers could still directly access files by guessing the timestamp of the backup, potentially leading to unauthorized access to sensitive website data (WPScan).

The vulnerability has been fixed in JetBackup version 2.0.9.9. Website administrators are strongly advised to update to this version or later to prevent unauthorized access to backup files. The partial fix in version 2.0.9.6 removed the directory listing capability but did not fully address the security issue (WPScan).