Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authentication Bypass Using an Alternate Path or Channel vulnerability in revmakx Backup and Staging by WP Time Capsule wp-time-capsule allows Password Recovery Exploitation.This issue affects Backup and Staging by WP Time Capsule: from n/a through <= 1.22.25.
AnalysisAI
Authentication bypass in the WordPress plugin 'Backup and Staging by WP Time Capsule' (all versions through 1.22.25) lets remote, unauthenticated attackers abuse an alternate password-recovery channel to gain unauthorized account access without valid credentials. The flaw, reported by Patchstack and tracked as EUVD-2026-32208, carries a CVSS 7.5 (confidentiality-only impact) but currently has no public exploit identified at time of analysis and a very low EPSS exploitation probability of 0.04% (13th percentile). Successful exploitation exposes sensitive access to the affected site, and the plugin's backup/staging role makes any resulting account takeover especially damaging.
Technical ContextAI
The affected component is the 'Backup and Staging by WP Time Capsule' WordPress plugin (slug wp-time-capsule) by revmakx, which manages site backups and staging environments. The root cause is CWE-288 (Authentication Bypass Using an Alternate Path or Channel): the plugin exposes a secondary code path - described here as 'Password Recovery Exploitation' - that performs identity verification incorrectly, allowing it to be reached or satisfied without traversing the primary, properly-guarded login flow. No CPE string was supplied in the provided data, so exact platform tuples cannot be enumerated beyond the EUVD-listed range. Because the plugin handles backups (which can contain database dumps and credentials), an authentication bypass against it carries outsized confidentiality consequences, consistent with the CVSS vector showing C:H but I:N/A:N.
RemediationAI
No vendor-released patch version was identified in the provided data; the affected range ('<= 1.22.25') implies a fixed release above 1.22.25 may exist, but no fixed version is confirmed here, so administrators should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-time-capsule/vulnerability/wordpress-backup-and-staging-by-wp-time-capsule-plugin-1-22-25-broken-authentication-vulnerability) for an updated version and upgrade as soon as one is published. Until then, the highest-assurance compensating control is to deactivate and remove the plugin (trade-off: loss of automated backup/staging functionality, so ensure an alternate backup mechanism is in place). Where the plugin must remain active, restrict network access to its password-recovery and AJAX/REST endpoints via web-server rules or IP allowlisting to admin networks (trade-off: legitimate remote recovery flows break and require coordination), and enable a WAF with Patchstack's virtual-patch ruleset for this CVE (trade-off: virtual patching mitigates but does not eliminate the underlying flaw). Avoid storing reusable credentials in backups reachable through the plugin to limit blast radius.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32208
GHSA-89j6-x8jj-2j36