CVE-2025-31755

Vulnerability

The pCloud Backup plugin for WordPress (pcloud-backup) version 1.0.1 and earlier contains a missing authorization vulnerability. The plugin fails to properly enforce access control checks on certain protected endpoints, allowing exploitation of incorrectly configured access control security levels. This affects all versions from n/a through 1.0.1, as cited in the official advisory [1].

Exploitation

An attacker with no prior authentication or elevated privileges can exploit this missing authorization flaw by sending crafted HTTP requests to the affected plugin endpoints. The attacker does not need any special network position beyond standard access to the WordPress site. No user interaction is required beyond the attacker's own actions [1].

Impact

Successful exploitation allows an attacker to perform unauthorized actions that should be restricted to higher-privileged users. Depending on the specific endpoints exposed, this could lead to unauthorized access to backup functionality, data exfiltration, or modification of backup settings. The impact includes potential compromise of confidentiality and integrity of the backup system [1].

Mitigation

As of the publication date, no fixed version has been released. The plugin was last updated on 2020-08-21 [1]. Users should consider disabling the plugin until a patched version becomes available. There is no known workaround. This vulnerability is not currently listed on the CISA KEV.