CVE-2025-53246

Vulnerability

Overview

The Backup and Move WordPress plugin, versions 0.1 and earlier, suffers from a missing authorization vulnerability. The plugin fails to properly verify user permissions or nonce tokens in certain functions, allowing unprivileged users to execute actions that should require higher privileges [1]. This broken access control issue stems from incorrectly configured access control security levels.

Exploitation

Attackers can exploit this vulnerability by sending crafted HTTP requests to the WordPress site without needing authentication or with only low-privileged access. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1]. No special network position is required beyond being able to reach the WordPress admin interface.

Impact

Successful exploitation could allow an attacker to perform unauthorized actions such as accessing, modifying, or deleting backup files, or executing other administrative functions. This could lead to data loss, exposure of sensitive information, or further compromise of the WordPress installation.

Mitigation

As of the publication date, no patched version of the plugin has been released. Users are advised to immediately update the plugin if a fix becomes available, or to remove the plugin entirely. If unable to do so, consulting a hosting provider or web developer is recommended [1]. The vulnerability is listed as expected to be exploited, emphasizing the need for prompt action.