Medium severity4.3NVD Advisory· Published Mar 7, 2023· Updated Jun 17, 2026
CVE-2022-4931
CVE-2022-4931
Description
The BackupWordPress plugin for WordPress is vulnerable to information disclosure in versions up to, and including 3.12. This is due to missing authorization on the heartbeat_received() function that triggers on WordPress heartbeat. This makes it possible for authenticated attackers, with subscriber-level permissions and above to retrieve back-up paths that can subsequently be used to download the back-up.
Affected products
2- Range: <=3.12
- willmot/BackUpWordPressv5Range: 3.12
Patches
Vulnerability mechanics
References
2- plugins.trac.wordpress.org/changesetnvdPatch
- www.wordfence.com/threat-intel/vulnerabilities/id/747c86f4-118b-4a9c-899c-e9067d2c7a02nvdThird Party Advisory
News mentions
0No linked articles in our index yet.