PT-2026-54953 · Databasebackup · Wp Database Backup – Unlimited Database & Files Backup By Backup For Wp
Irwan Kusuma
·
Published
2026-07-02
·
Updated
2026-07-02
·
CVE-2026-9834
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 7.11 via the
wp db exclude table parameter. This is due to the direct concatenation of user-supplied $ POST['wp db exclude table'] values into the mysqldump shell command string in the mysqldump() function of includes/admin/class-wpdb-admin.php without wrapping them in escapeshellarg()—every other argument in the same command (DB USER, DB PASSWORD, host, filename, DB NAME) is properly escaped, making the exclude-table values the sole exception—and because the only applied filtering, sanitize text field() via recursive sanitize text field(), strips HTML tags but leaves shell metacharacters such as ;, |, `, and $() intact. This makes it possible for authenticated attackers, with administrator-level access and above, to execute arbitrary operating system commands on the server, potentially enabling full remote code execution. The injection is stored: malicious values submitted through the plugin settings form are persisted to the WordPress options table via update option('wp db exclude table') and later retrieved with get option() and passed unsanitized to shell exec() whenever a backup operation runs.Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Database Backup – Unlimited Database & Files Backup By Backup For Wp