CVE-2025-34084

Name of the Vulnerable Software and Affected Versions: WordPress Total Upkeep plugin versions prior to 1.14.10

Description: An unauthenticated information disclosure issue exists, allowing unauthenticated users to retrieve detailed server configuration and discover backup metadata. The exposed endpoints include "env-info.php" and "restore-info.json", which can disclose the absolute filesystem path of the latest backup. This path can be converted into a web-accessible URL, allowing attackers to download the backup. The database archive may contain credential hashes, facilitating offline password cracking or credential stuffing attacks.

Recommendations: For versions prior to 1.14.10, update to version 1.14.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the "env-info.php" and "restore-info.json" endpoints to prevent unauthenticated users from retrieving sensitive information.