VYPR

Backwpup

by WordPress

Source repositories

CVEs (11)

  • CVE-2023-5504HigJan 11, 2024
    risk 0.57cvss 8.7epss 0.01

    The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the Log File Folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server.…

  • CVE-2017-2551HigSep 28, 2017
    risk 0.49cvss 7.5epss 0.02

    Vulnerability in Wordpress plugin BackWPup before v3.4.2 allows possible brute forcing of backup file for download.

  • CVE-2026-6227HigApr 14, 2026
    risk 0.47cvss 7.2epss 0.01

    The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal…

  • CVE-2025-15041HigFeb 19, 2026
    risk 0.47cvss 7.2epss 0.00

    The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and including, 5.6.2. This…

  • CVE-2025-10579MedOct 25, 2025
    risk 0.34cvss 5.3epss 0.00

    The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'backwpup_working' AJAX action in all versions up to, and including, 5.5.0. This makes it possible for authenticated…

  • CVE-2023-5775LowFeb 26, 2024
    risk 0.07cvss 2.2epss 0.00

    The BackWPup plugin for WordPress is vulnerable to Plaintext Storage of Backup Destination Password in all versions up to, and including, 4.0.2. This is due to to the plugin improperly storing backup destination passwords in plaintext. This makes it possible for authenticated…

  • CVE-2011-4342Oct 8, 2012
    risk 0.04cvss epss 0.10

    PHP remote file inclusion vulnerability in wp_xml_export.php in the BackWPup plugin before 1.7.2 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the wpabs parameter.

  • CVE-2023-7164Apr 8, 2024
    risk 0.02cvss epss 0.02

    The BackWPup WordPress plugin before 4.0.4 does not prevent Directory Listing in its temporary backup folder, allowing unauthenticated attackers to download backups of a site's database.

  • CVE-2023-5505Aug 17, 2024
    risk 0.00cvss epss 0.01

    The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the job-specific backup folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the…

  • CVE-2013-4626Sep 26, 2013
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in the BackWPup plugin before 3.0.13 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab parameter to wp-admin/admin.php.

  • CVE-2011-5208Oct 8, 2012
    risk 0.00cvss epss 0.03

    Multiple directory traversal vulnerabilities in the BackWPup plugin before 1.4.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the wpabs parameter to (1) app/options-view_log-iframe.php or (2) app/options-runnow-iframe.php.