PT-2026-54953 · Databasebackup · Wp Database Backup – Unlimited Database & Files Backup By Backup For Wp

Irwan Kusuma

·

Publicado

2026-07-02

·

Atualizado

2026-07-02

·

CVE-2026-9834

CVSS v3.1

7.2

Alta

VetorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 7.11 via the wp db exclude table parameter. This is due to the direct concatenation of user-supplied $ POST['wp db exclude table'] values into the mysqldump shell command string in the mysqldump() function of includes/admin/class-wpdb-admin.php without wrapping them in escapeshellarg()—every other argument in the same command (DB USER, DB PASSWORD, host, filename, DB NAME) is properly escaped, making the exclude-table values the sole exception—and because the only applied filtering, sanitize text field() via recursive sanitize text field(), strips HTML tags but leaves shell metacharacters such as ;, |, `, and $() intact. This makes it possible for authenticated attackers, with administrator-level access and above, to execute arbitrary operating system commands on the server, potentially enabling full remote code execution. The injection is stored: malicious values submitted through the plugin settings form are persisted to the WordPress options table via update option('wp db exclude table') and later retrieved with get option() and passed unsanitized to shell exec() whenever a backup operation runs.

Correção

Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-9834

Produtos afetados

Wp Database Backup – Unlimited Database & Files Backup By Backup For Wp