Skip to main content

pCloud WP Backup CVE-2026-57757

| EUVDEUVD-2026-41313 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-02 Patchstack GHSA-v7j3-6p47-qxc7
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
vuln.today AI
7.1 HIGH

Remote CSRF needs no attacker privileges (PR:N) but requires an authenticated admin to click (UI:R); forged action exposes sensitive data (C:H) with limited state change (I:L).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:22 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Request Forgery (CSRF) in pCloud WP Backup <= 2.0.2 versions.

AnalysisAI

Cross-Site Request Forgery in the pCloud WP Backup WordPress plugin (versions 2.0.2 and earlier) allows a remote unauthenticated attacker to trick a logged-in administrator into submitting forged requests, leading to high-confidentiality impact and limited integrity impact on the WordPress site. The CVSS 3.1 base score is 7.1 (AV:N/AC:L/PR:N/UI:R), reflecting network exploitation with no attacker privileges but required victim interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host malicious CSRF page
Delivery
Phish logged-in WP admin
Exploit
Admin browser auto-submits forged request
Execution
Plugin action runs without nonce check
Impact
Sensitive backup/config data exposed

Vulnerability AssessmentAI

Exploitation Exploitation requires a WordPress administrator (or user with access to the plugin's actions) to be authenticated and to interact with attacker-controlled content while that session is active - this UI:R requirement is the primary limiting factor, meaning the attack cannot succeed silently or against non-authenticated targets. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderate and internally consistent rather than critical. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious web page containing a hidden auto-submitting form or image request targeting the vulnerable pCloud WP Backup action, then lures a logged-in WordPress administrator to visit it (e.g., via phishing email or a link on a forum). Because the plugin does not validate an anti-CSRF nonce, the victim's browser submits the forged request with valid admin cookies, executing the backup/configuration action and potentially exposing sensitive backup or credential data. …
Remediation No vendor-released patch version is identified in the provided data, so the primary recommendation is to consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/pcloud-wp-backup/vulnerability/wordpress-pcloud-wp-backup-plugin-2-0-2-cross-site-request-forgery-csrf-vulnerability) and upgrade to a fixed release once published; if a version above 2.0.2 is available in the WordPress plugin repository, update to it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable pCloud WP Backup plugin (v2.0.2 and earlier) across all WordPress installations; migrate to an alternative backup solution with current security patches. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57757 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy