Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
AC:H reflects that exploitation requires a prior admin decrypt action beyond the attacker's control; PR:L confirmed by subscriber-level requirement; no integrity or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.22.26 via the download_recent_decrypted_file_wptc. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract download the most recently admin-decrypted SQL database backup, which typically contains password hashes, user credentials, and other sensitive site configuration data stored in the 'recent_decrypted_file' option. Exploitation requires that an administrator has previously performed a decrypt action, causing the decrypted SQL backup file to exist in the plugin's upload directory; without this prior admin action, there is no file to serve.
AnalysisAI
Sensitive information exposure in the Backup and Staging by WP Time Capsule WordPress plugin (all versions through 1.22.26) allows authenticated attackers with subscriber-level access to download a previously admin-decrypted SQL database backup via the unprotected download_recent_decrypted_file_wptc endpoint. The downloaded backup typically contains WordPress password hashes, user credentials, and site configuration data stored in the recent_decrypted_file plugin option. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two concrete prerequisites must both be satisfied. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reflects network reachability, low attack complexity, and high confidentiality impact, but scores subscriber-level authentication (PR:L) and misses the additional prerequisite that an admin must have previously triggered a decrypt operation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds a subscriber-level WordPress account - obtained through open registration or compromised credentials - authenticates to a target site and crafts a direct HTTP GET request to the `download_recent_decrypted_file_wptc` endpoint. If an administrator has recently used the plugin's decrypt feature, the endpoint serves the cached SQL dump without authorization checks, yielding a complete database backup with WordPress user table hashes and any credentials or tokens stored in wp_options. … |
| Remediation | A patch commit is referenced via the WordPress.org SVN changeset 3563585 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3563585%40wp-time-capsule&new=3563585%40wp-time-capsule); however, the exact version number of the released patched build is not independently confirmed from available data - update to the latest available version in the WordPress plugin repository and verify the installed version exceeds 1.22.26 before considering the issue resolved. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42527
GHSA-cxpp-m57j-hhq8