Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Remote CSRF needs no attacker privileges (PR:N) but requires an authenticated admin to click (UI:R); forged action exposes sensitive data (C:H) with limited state change (I:L).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Request Forgery (CSRF) in pCloud WP Backup <= 2.0.2 versions.
AnalysisAI
Cross-Site Request Forgery in the pCloud WP Backup WordPress plugin (versions 2.0.2 and earlier) allows a remote unauthenticated attacker to trick a logged-in administrator into submitting forged requests, leading to high-confidentiality impact and limited integrity impact on the WordPress site. The CVSS 3.1 base score is 7.1 (AV:N/AC:L/PR:N/UI:R), reflecting network exploitation with no attacker privileges but required victim interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a WordPress administrator (or user with access to the plugin's actions) to be authenticated and to interact with attacker-controlled content while that session is active - this UI:R requirement is the primary limiting factor, meaning the attack cannot succeed silently or against non-authenticated targets. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are moderate and internally consistent rather than critical. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious web page containing a hidden auto-submitting form or image request targeting the vulnerable pCloud WP Backup action, then lures a logged-in WordPress administrator to visit it (e.g., via phishing email or a link on a forum). Because the plugin does not validate an anti-CSRF nonce, the victim's browser submits the forged request with valid admin cookies, executing the backup/configuration action and potentially exposing sensitive backup or credential data. … |
| Remediation | No vendor-released patch version is identified in the provided data, so the primary recommendation is to consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/pcloud-wp-backup/vulnerability/wordpress-pcloud-wp-backup-plugin-2-0-2-cross-site-request-forgery-csrf-vulnerability) and upgrade to a fixed release once published; if a version above 2.0.2 is available in the WordPress plugin repository, update to it immediately. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Disable pCloud WP Backup plugin (v2.0.2 and earlier) across all WordPress installations; migrate to an alternative backup solution with current security patches. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Pcloud Wp Backup
View allSame weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41313
GHSA-v7j3-6p47-qxc7