CVE-2025-14944

| EUVD-2025-209272 MEDIUM
2026-04-07 Wordfence GHSA-9xx8-gvm8-cvc3
5.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 17:00 euvd
EUVD-2025-209272
Analysis Generated
Apr 07, 2026 - 17:00 vuln.today
CVE Published
Apr 07, 2026 - 16:26 nvd
MEDIUM 5.3

Tags

WordPress Authentication Bypass Denial Of Service

Description

The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion.

Analysis

Unauthenticated attackers can trigger backup upload queue processing in Backup Migration plugin for WordPress (all versions up to 2.0.0) via the 'initializeOfflineAjax' AJAX endpoint, which lacks capability checks and relies on publicly exposed hardcoded tokens for validation. This allows remote attackers to cause unexpected backup transfers to cloud storage and resource exhaustion without authentication or user interaction. CVSS 5.3 (medium), no confirmed active exploitation reported.

Technical Context

The Backup Migration plugin (CPE: cpe:2.3:a:inisev:backupbliss_-_backup_&_migration_with_free_cloud_storage:*:*:*:*:*:*:*:*) implements AJAX endpoints for offline backup processing via the 'initializeOfflineAjax' function in offline.php and ajax_offline.php. The vulnerability stems from CWE-862 (Missing Authorization): the endpoint fails to validate user capabilities using WordPress nonce verification and instead relies on hardcoded token values that are embedded in the plugin's JavaScript files and publicly accessible. This allows any network-accessible attacker to craft requests that spoof legitimate backup initiation calls, triggering the backup upload queue and routing data to pre-configured cloud storage destinations without permission.

Affected Products

The Backup Migration plugin (also known as Backup Bliss - Backup & Migration with Free Cloud Storage), maintained by Inisev, is vulnerable in all versions through 2.0.0. The WordPress plugin repository identifies the affected package as 'backup-backup' in the official plugins directory. Wordfence confirmed the vulnerability in the CPE cpe:2.3:a:inisev:backupbliss_-_backup_&_migration_with_free_cloud_storage:*:*:*:*:*:*:*:*. The Trac repository changeset comparison between version 2.0.0 and 2.1.0 shows the remediation path.

Remediation

Upgrade the Backup Migration plugin to version 2.1.0 or later, which implements proper authorization checks and nonce verification on the 'initializeOfflineAjax' endpoint. The WordPress plugin repository changeset (referenced in Trac) confirms that version 2.1.0 includes the fix. Users unable to upgrade immediately should disable the offline backup functionality via plugin configuration or deactivate the plugin entirely until patching is complete. Refer to the Wordfence vulnerability page (https://www.wordfence.com/threat-intel/vulnerabilities/id/a2a41a15-0743-48cc-8c92-7cb839fa5847) for additional context and the official WordPress Backup Migration plugin page for installation of the patched version.

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

CVE-2025-14944 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy