CVE-2024-13910

Name of the Vulnerable Software and Affected Versions Database Backup and check Tables Automated With Scheduler 2024 plugin for WordPress versions up to, and including, 2.35

Description The issue arises from insufficient file path validation in the database backup ajax delete function, allowing authenticated attackers with Administrator-level access and above to delete arbitrary files on the server. This can lead to remote code execution when critical files, such as wp-config.php, are deleted.

Recommendations For versions up to, and including, 2.35, update to version 2.36 or later to partially mitigate the issue. As a temporary workaround, consider restricting access to the database backup ajax delete function until a more comprehensive patch is available.