CVE-2025-12092

Vulnerability

Overview

The CYAN Backup plugin for WordPress, in all versions up to and including 2.5.4, contains an arbitrary file deletion vulnerability. The root cause is insufficient validation of the file path supplied to the 'delete' functionality. The plugin's code did not verify that the file being deleted was actually a backup file, allowing an attacker to specify any file path on the server [1].

Exploitation

Details

To exploit this vulnerability, an attacker must have Administrator-level access or higher to the WordPress site. The attack is performed via the plugin's admin interface, where the 'remove' parameter is processed. The original code used realpath() function resolves the path, but the subsequent check only verified that the file exists, not that it is a legitimate backup file. The commit diff shows that the fix adds a fix was introduced to iterate over known backup files and confirm the target is among them before deletion [1].

Impact

Successful exploitation allows an authenticated administrator to delete arbitrary files on the server. This can lead to severe consequences, such as deleting the wp-config.php file, which would break the site and potentially enable remote code execution if the attacker can then upload a new configuration or exploit the resulting state [1].

Mitigation

The vulnerability has been patched in commit 4a79d23e8ba330b5cb655a083c6a00ef32a7b32a7b249, which adds a check to ensure only files that are part of the backup set can be deleted. Users are strongly advised to update the CYAN Backup plugin to a version that includes this fix. No workaround is provided, and given the high impact, immediate updating is recommended [1].