VYPR
← All advisories
High severity7.2NVD Advisory· Published Mar 1, 2025· Updated Apr 15, 2026

CVE-2024-13910

CVE-2024-13910

Description

The Database Backup and check Tables Automated With Scheduler 2024 plugin for WordPress (≤2.35) allows authenticated admin attackers to delete arbitrary files via insufficient path validation, potentially leading to RCE.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Database Backup and check Tables Automated With Scheduler 2024 plugin for WordPress (≤2.35) allows authenticated admin attackers to delete arbitrary files via insufficient path validation, potentially leading to RCE.

Vulnerability

The vulnerability resides in the database_backup_ajax_delete function of the Database Backup and check Tables Automated With Scheduler 2024 plugin for WordPress. The function fails to properly validate the file path provided in AJAX requests, allowing an attacker to specify arbitrary paths. This affects all versions up to and including 2.35. The plugin defines its version constant in database-backup.php [1].

Exploitation

An attacker must have Administrator-level access (or higher) to the WordPress site. They can send a crafted AJAX request to the vulnerable function, supplying a malicious file path (e.g., using path traversal sequences) to delete any file on the server. No additional user interaction is required.

Impact

Successful exploitation enables the attacker to delete arbitrary files, including critical configuration files such as wp-config.php. This can lead to remote code execution or complete site compromise, as the attacker can disrupt the site or gain further access.

Mitigation

Version 2.36 of the plugin provides a partial patch for this vulnerability. Users are strongly advised to update to the latest available version. No workaround has been disclosed. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

References
  1. https://plugins.trac.wordpress.org/browser/database-backup/trunk/database-backup.php#L267

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

2
r3248708
https://plugins.svn.wordpress.orgvia nvd-ref
commit
r3247917
https://plugins.svn.wordpress.orgvia nvd-ref
commit
Plugin removedDatabase Backup and Table Integrity Check with Automated Schedulingdatabase-backup

This plugin has been removed from the WordPress.org directory on 2026-01-25 (reason: Guideline Violation). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.

Source: api.wordpress.org · directory page

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.