Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Database Backup for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.5.2. This is due to the plugin not restricting access to the wp_db_temp_dir parameter, which controls where database backups are written. This makes it possible for unauthenticated attackers to send a request to wp-cron.php with a poisoned wp_db_temp_dir value pointing to a publicly accessible directory (e.g., wp-content/uploads/), and if a scheduled backup is due, intercept the backup file before it is cleaned up. The backup file has a predictable name based on the database name, table prefix, date, and Swatch Internet Time, making interception reliable. Successful exploitation leads to Sensitive Information Exposure including database credentials, user password hashes, and personally identifiable information. This vulnerability requires that the site administrator has configured scheduled backups.
AnalysisAI
Authorization bypass in Database Backup for WordPress plugin (≤2.5.2) enables unauthenticated attackers to redirect scheduled backup files to publicly accessible directories and retrieve them before cleanup. By poisoning the wp_db_temp_dir parameter via wp-cron.php, attackers can intercept database backups containing credentials, password hashes, and PII. Backup filenames follow predictable patterns (database name, table prefix, date, Swatch Internet Time), making interception reliable. Exploitation requires administrator-configured scheduled backups but no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N). EPSS and KEV data not provided; Wordfence-reported vulnerability with publicly accessible source code references enabling attack reproduction.
Technical ContextAI
The vulnerability exists in the Database Backup for WordPress plugin (cpe:2.3:a:wpengine:database_backup_for_wordpress), a PHP-based WordPress backup solution. The root cause is CWE-862 (Missing Authorization), where the plugin fails to validate the wp_db_temp_dir parameter that determines backup file storage locations. WordPress cron system (wp-cron.php) accepts external requests with arbitrary parameters, and this plugin trusts user-supplied paths without authentication checks. When scheduled backups execute, the plugin writes sensitive database dumps to attacker-controlled directories. The backup filename convention uses concatenated values (DB name + table prefix + timestamp in Swatch Internet Time format), creating a deterministic naming scheme. Source code references point to specific vulnerable functions in trunk/wp-db-backup.php lines 121, 85, 961, and 1568, with the fixed version implemented in changeset 3510595.
RemediationAI
Update Database Backup for WordPress plugin to version 2.5.3 or later, which implements authorization checks on the wp_db_temp_dir parameter per changeset 3510595 (https://plugins.trac.wordpress.org/changeset/3510595/). If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Disable scheduled backups via plugin settings and perform manual backups only during maintenance windows - eliminates attack window but reduces backup frequency and operational resilience; (2) Configure web server rules to block direct access to wp-cron.php from external IPs, allowing only internal/localhost requests - breaks legitimate external cron services and may require alternative scheduling mechanisms; (3) Implement Web Application Firewall rules to detect and block requests to wp-cron.php containing wp_db_temp_dir parameters - may generate false positives if legitimate plugin functionality uses this parameter. Long-term: transition to enterprise backup solutions with proper access controls rather than relying on plugins with historically weak authorization models.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30274
GHSA-7w7g-7m62-6985