PT-2026-54953 · Databasebackup · Wp Database Backup – Unlimited Database & Files Backup By Backup For Wp

Irwan Kusuma

·

Published

2026-07-02

·

Updated

2026-07-02

·

CVE-2026-9834

CVSS v3.1

7.2

High

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 7.11 via the wp db exclude table parameter. This is due to the direct concatenation of user-supplied $ POST['wp db exclude table'] values into the mysqldump shell command string in the mysqldump() function of includes/admin/class-wpdb-admin.php without wrapping them in escapeshellarg()—every other argument in the same command (DB USER, DB PASSWORD, host, filename, DB NAME) is properly escaped, making the exclude-table values the sole exception—and because the only applied filtering, sanitize text field() via recursive sanitize text field(), strips HTML tags but leaves shell metacharacters such as ;, |, `, and $() intact. This makes it possible for authenticated attackers, with administrator-level access and above, to execute arbitrary operating system commands on the server, potentially enabling full remote code execution. The injection is stored: malicious values submitted through the plugin settings form are persisted to the WordPress options table via update option('wp db exclude table') and later retrieved with get option() and passed unsanitized to shell exec() whenever a backup operation runs.

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9834

Affected Products

Wp Database Backup – Unlimited Database & Files Backup By Backup For Wp