CVE-2022-4931

Name of the Vulnerable Software and Affected Versions BackupWordPress plugin for WordPress versions up to, and including 3.12

Description The issue is related to information disclosure due to missing authorization on the heartbeat received() function, which triggers on WordPress heartbeat. This allows authenticated attackers with subscriber-level permissions and above to retrieve backup paths, potentially leading to the download of backups.

Recommendations For versions up to, and including 3.12, update to a version that includes a fix for the missing authorization on the heartbeat received() function. As a temporary workaround, consider restricting access to the heartbeat received() function to minimize the risk of exploitation.