PT-2025-43699 · WordPress · Backup/Restore Wordpress – Backup Plugin
Dmitry Ignatyev
·
Published
2025-10-25
·
Updated
2025-10-25
·
CVE-2025-10579
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
BackWPup – WordPress Backup & Restore Plugin versions prior to 5.5.1
Description
The BackWPup – WordPress Backup & Restore Plugin for WordPress is susceptible to unauthorized data access. A missing capability check on the
backwpup working AJAX action allows authenticated attackers with Subscriber-level access or higher to retrieve a backup’s filename during a backup process. While this information has limited standalone value, it could potentially assist in a brute force attack to obtain backup contents in specific environments, such as those using NGINX. The API endpoint involved is backwpup working.Recommendations
Update BackWPup – WordPress Backup & Restore Plugin to version 5.5.1 or later.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Backup/Restore Wordpress – Backup Plugin