CVE-2025-0215

Name of the Vulnerable Software and Affected Versions UpdraftPlus: WP Backup & Migration Plugin versions up to 1.24.12

Description The issue is related to Reflected Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an admin user into performing an action such as clicking on a link. The vulnerability is exploited via the showdata and initiate restore parameters.

Recommendations For versions up to 1.24.12, consider disabling the showdata and initiate restore parameters as a temporary workaround until a patch is available. Restrict access to the affected plugin to minimize the risk of exploitation. Avoid using the showdata and initiate restore parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.