CVE-2026-4031

Name of the Vulnerable Software and Affected Versions Database Backup for WordPress versions prior to 2.5.3

Description An authorization bypass exists because the plugin fails to restrict access to the wp db temp dir parameter, which determines the storage location for database backups. Unauthenticated attackers can send a request to the 'wp-cron.php' endpoint with a manipulated wp db temp dir value pointing to a public directory, such as 'wp-content/uploads/'. If a scheduled backup occurs, the attacker can intercept the backup file, which uses a predictable naming convention based on the database name, table prefix, date, and Swatch Internet Time. This leads to sensitive information exposure, including database credentials, user password hashes, and personally identifiable information. This issue requires the site administrator to have configured scheduled backups.

Recommendations Update to a version later than 2.5.2. As a temporary workaround, restrict access to the wp db temp dir parameter or disable scheduled backups until the update is applied.