Skip to main content

Total Upkeep WordPress Backup Plugin CVE-2026-3143

| EUVDEUVD-2026-26502 MEDIUM
Missing Authorization (CWE-862)
2026-05-01 Wordfence
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 01, 2026 - 14:00 vuln.today
EUVD ID Assigned
May 01, 2026 - 13:45 euvd
EUVD-2026-26502
Analysis Generated
May 01, 2026 - 13:45 vuln.today
CVE Published
May 01, 2026 - 13:28 nvd
MEDIUM 5.3

DescriptionCVE.org

The Total Upkeep - WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_cli_cancel' function in all versions up to, and including, 1.17.1. This makes it possible for unauthenticated attackers to cancel a pending rollback, potentially preventing a WordPress installation from automatically reverting a failed update.

AnalysisAI

Unauthenticated attackers can cancel pending rollbacks in Total Upkeep WordPress Backup Plugin by BoldGrid (versions up to 1.17.1) due to missing capability checks on the wp_ajax_cli_cancel AJAX function, allowing malicious users to prevent automatic recovery from failed WordPress updates. CVSS 5.3 (network-accessible, low complexity) reflects the integrity impact and lack of authentication requirement, though real-world impact depends on whether rollback operations are actively pending during an update failure.

Technical ContextAI

Total Upkeep is a WordPress plugin providing backup, restore, and automatic rollback functionality for failed WordPress updates. The vulnerability exists in the wp_ajax_cli_cancel AJAX handler, which processes requests to cancel pending rollback operations without verifying the user has the required WordPress capability (typically manage_options). WordPress AJAX endpoints (wp-admin/admin-ajax.php) are publicly accessible but should implement nonce verification and capability checks to restrict actions to authorized administrators. This is a classic missing authorization check (CWE-862: Missing Authorization) in a WordPress plugin's AJAX callback. The affected function is registered as an unauthenticated AJAX action, meaning any remote user can invoke it by sending a POST request to the WordPress admin-ajax endpoint with the action parameter set to 'cli_cancel'.

RemediationAI

Vendor-released patch: Total Upkeep version 1.17.2 or later includes a capability check on the wp_ajax_cli_cancel function to restrict cancellation of rollbacks to authenticated administrators. Update the plugin immediately via WordPress admin dashboard (Plugins > Installed Plugins > Total Upkeep > Update) or via WP-CLI with 'wp plugin update boldgrid-backup'. For sites unable to update immediately, implement a Web Application Firewall (WAF) rule to block POST requests to wp-admin/admin-ajax.php with the action parameter 'cli_cancel', though this has the trade-off of potentially blocking legitimate administrative cancellations during troubleshooting. Additionally, restrict access to wp-admin/admin-ajax.php to known IP ranges if the site is in a controlled environment. See Wordfence vulnerability advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/f25dcd7e-8fb1-471e-bd22-782409de45c4?source=cve for patch confirmation.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-3143 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy