Skip to main content

WP Time Capsule CVE-2026-8996

| EUVDEUVD-2026-42527 MEDIUM
Missing Authorization (CWE-862)
2026-07-09 Wordfence GHSA-cxpp-m57j-hhq8
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

AC:H reflects that exploitation requires a prior admin decrypt action beyond the attacker's control; PR:L confirmed by subscriber-level requirement; no integrity or availability impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 08:49 vuln.today
CVE Published
Jul 09, 2026 - 06:52 nvd
MEDIUM 6.5

DescriptionCVE.org

The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.22.26 via the download_recent_decrypted_file_wptc. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract download the most recently admin-decrypted SQL database backup, which typically contains password hashes, user credentials, and other sensitive site configuration data stored in the 'recent_decrypted_file' option. Exploitation requires that an administrator has previously performed a decrypt action, causing the decrypted SQL backup file to exist in the plugin's upload directory; without this prior admin action, there is no file to serve.

AnalysisAI

Sensitive information exposure in the Backup and Staging by WP Time Capsule WordPress plugin (all versions through 1.22.26) allows authenticated attackers with subscriber-level access to download a previously admin-decrypted SQL database backup via the unprotected download_recent_decrypted_file_wptc endpoint. The downloaded backup typically contains WordPress password hashes, user credentials, and site configuration data stored in the recent_decrypted_file plugin option. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain subscriber-level WordPress credentials
Delivery
Authenticate to target WordPress site
Exploit
Identify WP Time Capsule plugin is active
Execution
Issue GET request to download_recent_decrypted_file_wptc endpoint
Persist
Receive unprotected decrypted SQL backup
Impact
Extract password hashes and credentials offline

Vulnerability AssessmentAI

Exploitation Two concrete prerequisites must both be satisfied. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reflects network reachability, low attack complexity, and high confidentiality impact, but scores subscriber-level authentication (PR:L) and misses the additional prerequisite that an admin must have previously triggered a decrypt operation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds a subscriber-level WordPress account - obtained through open registration or compromised credentials - authenticates to a target site and crafts a direct HTTP GET request to the `download_recent_decrypted_file_wptc` endpoint. If an administrator has recently used the plugin's decrypt feature, the endpoint serves the cached SQL dump without authorization checks, yielding a complete database backup with WordPress user table hashes and any credentials or tokens stored in wp_options. …
Remediation A patch commit is referenced via the WordPress.org SVN changeset 3563585 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3563585%40wp-time-capsule&new=3563585%40wp-time-capsule); however, the exact version number of the released patched build is not independently confirmed from available data - update to the latest available version in the WordPress plugin repository and verify the installed version exceeds 1.22.26 before considering the issue resolved. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8996 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy