CVE-2025-28954

| EUVD-2025-17169 HIGH
2025-06-06 [email protected]
7.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17169
CVE Published
Jun 06, 2025 - 13:15 nvd
HIGH 7.4

Tags

CSRF Path Traversal WordPress PHP

Description

Cross-Site Request Forgery (CSRF) vulnerability in wphobby Backwp allows Path Traversal. This issue affects Backwp: from n/a through 2.0.2.

Analysis

Cross-Site Request Forgery (CSRF) vulnerability in the wphobby Backwp WordPress plugin (versions through 2.0.2) that enables path traversal attacks. An unauthenticated remote attacker can exploit this via a crafted web request to perform unauthorized actions and potentially access sensitive files outside intended directories. While the CVSS score of 7.4 indicates high severity with availability impact, the vulnerability requires user interaction (UI:R) and affects availability rather than confidentiality or integrity, suggesting moderate real-world exploitability.

Technical Context

The vulnerability stems from improper CSRF token validation combined with insufficient input sanitization in the Backwp plugin's request handling mechanism. CWE-352 (Cross-Site Request Forgery) is the primary weakness, allowing attackers to craft malicious requests that are automatically executed in the victim's browser context when they visit attacker-controlled pages. The path traversal component (likely CWE-22) enables directory traversal sequences (e.g., '../../../') to bypass access controls and reach unintended file locations. Backwp, a WordPress backup and migration plugin, handles sensitive file operations, making CSRF+path traversal particularly dangerous. The CPE context indicates this affects the wphobby Backwp product family through version 2.0.2, suggesting the plugin's backup/restore or file management features are compromised.

Affected Products

wphobby Backwp (All versions from unspecified baseline through 2.0.2)

Remediation

patch: Upgrade wphobby Backwp to version 2.0.3 or later (specific patch version not provided in available intelligence; verify via wphobby official repository or WordPress plugin directory) immediate_mitigation: Disable or deactivate the Backwp plugin until a patched version is confirmed available and tested workaround: Implement Web Application Firewall (WAF) rules to block requests with path traversal sequences (../, ..\) and validate CSRF tokens on all state-changing operations workaround: Restrict access to Backwp admin pages via IP allowlisting or authentication gating, reducing user interaction surface detection: Monitor server logs for requests containing path traversal patterns targeting backup/file management endpoints; check WordPress audit logs for unauthorized backup or file access events vendor_advisory: Check wphobby official website, WordPress plugin repository security notices, and WordPress security mailing lists for official patches and advisories

Priority Score

37
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +37
POC: 0

Share

CVE-2025-28954 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy