WP SuperBackup CVE-2024-56064
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Upload a Web Shell to a Web Server.This issue affects WP SuperBackup: from n/a through <= 2.3.3.
AnalysisAI
Unrestricted file upload in azzaroco's WP SuperBackup WordPress plugin (versions through 2.3.3) enables remote unauthenticated attackers to upload arbitrary files including web shells, leading to full server compromise. The maximum CVSS score of 10.0 combined with an EPSS score of 55.52% (98th percentile) indicates very high exploitation probability, though no public exploit was identified at time of analysis and the issue is not yet listed in CISA KEV.
Technical ContextAI
WP SuperBackup is a WordPress backup plugin (slug: indeed-wp-superbackup) developed by azzaroco, distributed via the WordPress ecosystem. The vulnerability falls under CWE-434 (Unrestricted Upload of File with Dangerous Type), a class of flaw where an application accepts file uploads without adequately validating file type, extension, or content, allowing executable scripts (PHP web shells in WordPress contexts) to be written into web-accessible directories. Because WordPress executes PHP files under the web server user, a successful upload of a .php payload into a reachable plugin directory results in arbitrary code execution within the WordPress process context.
Affected ProductsAI
WP SuperBackup WordPress plugin (plugin slug: indeed-wp-superbackup) by author azzaroco, all versions from unspecified initial release through and including 2.3.3. No CPE entries were provided in the input data and no vendor advisory URL was supplied beyond the Patchstack reporter attribution (audit@patchstack.com), so confirmation of the affected version range relies on the NVD description text.
RemediationAI
No vendor-released patch version is identified in the available data - the description states the issue affects WP SuperBackup 'through <= 2.3.3' without naming a fixed release, so administrators should consult Patchstack and the WordPress.org plugin page for an update beyond 2.3.3 and apply it immediately once published. Until a fixed version is confirmed, the most reliable compensating control is to deactivate and remove the indeed-wp-superbackup plugin from affected WordPress installations, accepting the trade-off of losing the backup functionality and needing to switch to an alternative backup solution. Additional mitigations include blocking write access to plugin upload endpoints via a WAF rule that rejects requests with .php (and other executable) Content-Type or filename extensions in upload parameters, and restricting filesystem-level execute permissions on wp-content/uploads and any plugin-controlled upload directory; the latter can break legitimate plugin functionality that relies on executing helper scripts. Monitor wp-content directories for newly created PHP files as a detective control.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today