How to fix CVE-2025-15041?

Within 24 hours: Audit all BackWPup plugin installations across WordPress instances and document affected versions. Within 7 days: Disable the BackWPup plugin or replace with an alternative backup solution if version 5.6.2 or earlier is deployed. Within 30 days: Implement alternative backup strategy, monitor for suspicious administrative account activity, and review access logs for unauthorized privilege escalation attempts.

Is PHP affected by CVE-2025-15041?

The BackWPup WordPress backup plugin contains a critical privilege escalation vulnerability affecting all versions through 5.6.2, allowing unauthorized users to modify site settings and gain administrative access.

CVE-2025-15041

HIGH

2026-02-19 [email protected]

7.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:03 vuln.today

CVE Published

Feb 19, 2026 - 07:17 nvd

HIGH 7.2

Description

The BackWPup - WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and including, 5.6.2. This makes it possible for authenticated attackers, with level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Analysis

Technical Context

Classified as CWE-862 (Missing Authorization). The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and including, 5.6.2. This makes it possible for authenticated attackers, with level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable u

Affected Products

The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege es

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: 0

CVE-2025-15041 vulnerability details – vuln.today

Back

CVE-2025-15041

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-15041

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code