CVE-2025-10579

Vulnerability

Overview

The BackWPup – WordPress Backup & Restore Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'backwpup_working' AJAX action in all versions up to, up to and including, version 5.5.0.0 [1]. This flaw allows authenticated attackers with Subscriber-level access or above to retrieve the filename of a backup while it is running [1].

Exploitation and

Attack Surface

An attacker who is authenticated as a Subscriber (the lowest privileged role) can trigger the vulnerable AJAX endpoint to learn the exact filename of a newly generated backup archive [1]. The backup archives are stored in a web-served directory with a per-site random subfolder that is only six hex characters long, making it feasible to brute-force the full path once the filename is known [1]. This is particularly effective in environments using NGINX or similar configurations where directory listing is disabled but direct file access is allowed [1].

Impact

Impact

While the filename alone has limited value, it can be used to aid in a brute-force attack to retrieve the backup contents [1]. Backup archives often contain highly sensitive data, including database credentials from wp-config.php, authentication salts, plugin configuration tokens, and user password hashes [1]. Successful retrieval of a backup archive could lead to complete confidentiality compromise and enable an attacker to pivot to full administrative control of the WordPress site [1].

Mitigation

The vulnerability has been addressed in version 5.0.1 of the plugin [1]. Users are strongly advised to update to the latest patched version immediately. No workaround is available for older versions [1]. The plugin developer was contacted on September 3, 2025, and a fix was subsequently released [1].