PT-2025-12867 · WordPress · Total Upkeep
Dzmitry Sviatlichny
·
Published
2025-03-26
·
Updated
2025-03-26
·
CVE-2025-2257
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid versions up to, and including, 1.16.10
Description
The issue is related to the
compression level setting in the plugin, which is used in proc open() without any validation. This allows authenticated attackers with administrator-level access and above to execute code on the server.Recommendations
For versions up to, and including, 1.16.10, consider disabling the
compression level setting or restricting access to the plugin until a patch is available. As a temporary workaround, avoid using the compression level setting in the affected plugin.Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Total Upkeep