Backwpup
by WordPress
Source repositories
CVEs (11)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-5504 | Hig | 0.57 | 8.7 | 0.01 | Jan 11, 2024 | The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the Log File Folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server.… | ||
| CVE-2017-2551 | Hig | 0.49 | 7.5 | 0.02 | Sep 28, 2017 | Vulnerability in Wordpress plugin BackWPup before v3.4.2 allows possible brute forcing of backup file for download. | ||
| CVE-2026-6227 | Hig | 0.47 | 7.2 | 0.01 | Apr 14, 2026 | The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal… | ||
| CVE-2025-15041 | Hig | 0.47 | 7.2 | 0.00 | Feb 19, 2026 | The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and including, 5.6.2. This… | ||
| CVE-2025-10579 | Med | 0.34 | 5.3 | 0.00 | Oct 25, 2025 | The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'backwpup_working' AJAX action in all versions up to, and including, 5.5.0. This makes it possible for authenticated… | ||
| CVE-2023-5775 | Low | 0.07 | 2.2 | 0.00 | Feb 26, 2024 | The BackWPup plugin for WordPress is vulnerable to Plaintext Storage of Backup Destination Password in all versions up to, and including, 4.0.2. This is due to to the plugin improperly storing backup destination passwords in plaintext. This makes it possible for authenticated… | ||
| CVE-2011-4342 | 0.04 | — | 0.10 | Oct 8, 2012 | PHP remote file inclusion vulnerability in wp_xml_export.php in the BackWPup plugin before 1.7.2 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the wpabs parameter. | |||
| CVE-2023-7164 | 0.02 | — | 0.02 | Apr 8, 2024 | The BackWPup WordPress plugin before 4.0.4 does not prevent Directory Listing in its temporary backup folder, allowing unauthenticated attackers to download backups of a site's database. | |||
| CVE-2023-5505 | 0.00 | — | 0.01 | Aug 17, 2024 | The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the job-specific backup folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the… | |||
| CVE-2013-4626 | 0.00 | — | 0.02 | Sep 26, 2013 | Cross-site scripting (XSS) vulnerability in the BackWPup plugin before 3.0.13 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab parameter to wp-admin/admin.php. | |||
| CVE-2011-5208 | 0.00 | — | 0.03 | Oct 8, 2012 | Multiple directory traversal vulnerabilities in the BackWPup plugin before 1.4.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the wpabs parameter to (1) app/options-view_log-iframe.php or (2) app/options-runnow-iframe.php. |
- risk 0.57cvss 8.7epss 0.01
The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the Log File Folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server.…
- risk 0.49cvss 7.5epss 0.02
Vulnerability in Wordpress plugin BackWPup before v3.4.2 allows possible brute forcing of backup file for download.
- risk 0.47cvss 7.2epss 0.01
The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal…
- risk 0.47cvss 7.2epss 0.00
The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and including, 5.6.2. This…
- risk 0.34cvss 5.3epss 0.00
The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'backwpup_working' AJAX action in all versions up to, and including, 5.5.0. This makes it possible for authenticated…
- risk 0.07cvss 2.2epss 0.00
The BackWPup plugin for WordPress is vulnerable to Plaintext Storage of Backup Destination Password in all versions up to, and including, 4.0.2. This is due to to the plugin improperly storing backup destination passwords in plaintext. This makes it possible for authenticated…
- CVE-2011-4342Oct 8, 2012risk 0.04cvss —epss 0.10
PHP remote file inclusion vulnerability in wp_xml_export.php in the BackWPup plugin before 1.7.2 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the wpabs parameter.
- CVE-2023-7164Apr 8, 2024risk 0.02cvss —epss 0.02
The BackWPup WordPress plugin before 4.0.4 does not prevent Directory Listing in its temporary backup folder, allowing unauthenticated attackers to download backups of a site's database.
- CVE-2023-5505Aug 17, 2024risk 0.00cvss —epss 0.01
The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the job-specific backup folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the…
- CVE-2013-4626Sep 26, 2013risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the BackWPup plugin before 3.0.13 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab parameter to wp-admin/admin.php.
- CVE-2011-5208Oct 8, 2012risk 0.00cvss —epss 0.03
Multiple directory traversal vulnerabilities in the BackWPup plugin before 1.4.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the wpabs parameter to (1) app/options-view_log-iframe.php or (2) app/options-runnow-iframe.php.