Skip to main content

Database Backup for WordPress EUVDEUVD-2026-30274

| CVE-2026-4031 HIGH
Missing Authorization (CWE-862)
2026-05-14 Wordfence GHSA-7w7g-7m62-6985
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 13:16 vuln.today
CVE Published
May 14, 2026 - 12:32 nvd
HIGH 7.5

DescriptionCVE.org

The Database Backup for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.5.2. This is due to the plugin not restricting access to the wp_db_temp_dir parameter, which controls where database backups are written. This makes it possible for unauthenticated attackers to send a request to wp-cron.php with a poisoned wp_db_temp_dir value pointing to a publicly accessible directory (e.g., wp-content/uploads/), and if a scheduled backup is due, intercept the backup file before it is cleaned up. The backup file has a predictable name based on the database name, table prefix, date, and Swatch Internet Time, making interception reliable. Successful exploitation leads to Sensitive Information Exposure including database credentials, user password hashes, and personally identifiable information. This vulnerability requires that the site administrator has configured scheduled backups.

AnalysisAI

Authorization bypass in Database Backup for WordPress plugin (≤2.5.2) enables unauthenticated attackers to redirect scheduled backup files to publicly accessible directories and retrieve them before cleanup. By poisoning the wp_db_temp_dir parameter via wp-cron.php, attackers can intercept database backups containing credentials, password hashes, and PII. Backup filenames follow predictable patterns (database name, table prefix, date, Swatch Internet Time), making interception reliable. Exploitation requires administrator-configured scheduled backups but no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N). EPSS and KEV data not provided; Wordfence-reported vulnerability with publicly accessible source code references enabling attack reproduction.

Technical ContextAI

The vulnerability exists in the Database Backup for WordPress plugin (cpe:2.3:a:wpengine:database_backup_for_wordpress), a PHP-based WordPress backup solution. The root cause is CWE-862 (Missing Authorization), where the plugin fails to validate the wp_db_temp_dir parameter that determines backup file storage locations. WordPress cron system (wp-cron.php) accepts external requests with arbitrary parameters, and this plugin trusts user-supplied paths without authentication checks. When scheduled backups execute, the plugin writes sensitive database dumps to attacker-controlled directories. The backup filename convention uses concatenated values (DB name + table prefix + timestamp in Swatch Internet Time format), creating a deterministic naming scheme. Source code references point to specific vulnerable functions in trunk/wp-db-backup.php lines 121, 85, 961, and 1568, with the fixed version implemented in changeset 3510595.

RemediationAI

Update Database Backup for WordPress plugin to version 2.5.3 or later, which implements authorization checks on the wp_db_temp_dir parameter per changeset 3510595 (https://plugins.trac.wordpress.org/changeset/3510595/). If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Disable scheduled backups via plugin settings and perform manual backups only during maintenance windows - eliminates attack window but reduces backup frequency and operational resilience; (2) Configure web server rules to block direct access to wp-cron.php from external IPs, allowing only internal/localhost requests - breaks legitimate external cron services and may require alternative scheduling mechanisms; (3) Implement Web Application Firewall rules to detect and block requests to wp-cron.php containing wp_db_temp_dir parameters - may generate false positives if legitimate plugin functionality uses this parameter. Long-term: transition to enterprise backup solutions with proper access controls rather than relying on plugins with historically weak authorization models.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-30274 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy