Skip to main content

WP Time Capsule CVE-2026-42760

| EUVDEUVD-2026-32208 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-27 audit@patchstack.com GHSA-89j6-x8jj-2j36
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:34 vuln.today

DescriptionCVE.org

Authentication Bypass Using an Alternate Path or Channel vulnerability in revmakx Backup and Staging by WP Time Capsule wp-time-capsule allows Password Recovery Exploitation.This issue affects Backup and Staging by WP Time Capsule: from n/a through <= 1.22.25.

AnalysisAI

Authentication bypass in the WordPress plugin 'Backup and Staging by WP Time Capsule' (all versions through 1.22.25) lets remote, unauthenticated attackers abuse an alternate password-recovery channel to gain unauthorized account access without valid credentials. The flaw, reported by Patchstack and tracked as EUVD-2026-32208, carries a CVSS 7.5 (confidentiality-only impact) but currently has no public exploit identified at time of analysis and a very low EPSS exploitation probability of 0.04% (13th percentile). Successful exploitation exposes sensitive access to the affected site, and the plugin's backup/staging role makes any resulting account takeover especially damaging.

Technical ContextAI

The affected component is the 'Backup and Staging by WP Time Capsule' WordPress plugin (slug wp-time-capsule) by revmakx, which manages site backups and staging environments. The root cause is CWE-288 (Authentication Bypass Using an Alternate Path or Channel): the plugin exposes a secondary code path - described here as 'Password Recovery Exploitation' - that performs identity verification incorrectly, allowing it to be reached or satisfied without traversing the primary, properly-guarded login flow. No CPE string was supplied in the provided data, so exact platform tuples cannot be enumerated beyond the EUVD-listed range. Because the plugin handles backups (which can contain database dumps and credentials), an authentication bypass against it carries outsized confidentiality consequences, consistent with the CVSS vector showing C:H but I:N/A:N.

RemediationAI

No vendor-released patch version was identified in the provided data; the affected range ('<= 1.22.25') implies a fixed release above 1.22.25 may exist, but no fixed version is confirmed here, so administrators should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-time-capsule/vulnerability/wordpress-backup-and-staging-by-wp-time-capsule-plugin-1-22-25-broken-authentication-vulnerability) for an updated version and upgrade as soon as one is published. Until then, the highest-assurance compensating control is to deactivate and remove the plugin (trade-off: loss of automated backup/staging functionality, so ensure an alternate backup mechanism is in place). Where the plugin must remain active, restrict network access to its password-recovery and AJAX/REST endpoints via web-server rules or IP allowlisting to admin networks (trade-off: legitimate remote recovery flows break and require coordination), and enable a WAF with Patchstack's virtual-patch ruleset for this CVE (trade-off: virtual patching mitigates but does not eliminate the underlying flaw). Avoid storing reusable credentials in backups reachable through the plugin to limit blast radius.

Share

CVE-2026-42760 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy