CVE-2026-6227

Name of the Vulnerable Software and Affected Versions BackWPup versions prior to 5.6.7

Description The BackWPup plugin for WordPress contains a Local File Inclusion issue. This occurs due to non-recursive str replace() sanitization of path traversal sequences in the block name parameter of the '/wp-json/backwpup/v1/getblock' REST endpoint. Authenticated attackers with Administrator-level access or users granted backup permissions can use crafted traversal sequences to include arbitrary PHP files on the server. This can lead to the exposure of sensitive files, such as wp-config.php, or remote code execution in specific configurations.

Recommendations Update to a version newer than 5.6.6. As a temporary workaround, restrict access to the '/wp-json/backwpup/v1/getblock' endpoint or avoid using the block name parameter until the update is applied.