Search criteria
6 vulnerabilities found for Database Backup for WordPress by wpengine
CVE-2026-4031 (GCVE-0-2026-4031)
Vulnerability from nvd – Published: 2026-05-14 12:32 – Updated: 2026-05-14 19:51
VLAI
Title
Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Database Backup Interception
Summary
The Database Backup for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.5.2. This is due to the plugin not restricting access to the wp_db_temp_dir parameter, which controls where database backups are written. This makes it possible for unauthenticated attackers to send a request to wp-cron.php with a poisoned wp_db_temp_dir value pointing to a publicly accessible directory (e.g., wp-content/uploads/), and if a scheduled backup is due, intercept the backup file before it is cleaned up. The backup file has a predictable name based on the database name, table prefix, date, and Swatch Internet Time, making interception reliable. Successful exploitation leads to Sensitive Information Exposure including database credentials, user password hashes, and personally identifiable information. This vulnerability requires that the site administrator has configured scheduled backups.
Severity
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpengine | Database Backup for WordPress |
Affected:
0 , ≤ 2.5.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4031",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T16:02:56.309388Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T19:51:56.623Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Database Backup for WordPress",
"vendor": "wpengine",
"versions": [
{
"lessThanOrEqual": "2.5.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Database Backup for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.5.2. This is due to the plugin not restricting access to the wp_db_temp_dir parameter, which controls where database backups are written. This makes it possible for unauthenticated attackers to send a request to wp-cron.php with a poisoned wp_db_temp_dir value pointing to a publicly accessible directory (e.g., wp-content/uploads/), and if a scheduled backup is due, intercept the backup file before it is cleaned up. The backup file has a predictable name based on the database name, table prefix, date, and Swatch Internet Time, making interception reliable. Successful exploitation leads to Sensitive Information Exposure including database credentials, user password hashes, and personally identifiable information. This vulnerability requires that the site administrator has configured scheduled backups."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:32:02.352Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/36615cae-418f-48b0-ba69-b54515cbe1d7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/trunk/wp-db-backup.php#L121"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/trunk/wp-db-backup.php#L85"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/trunk/wp-db-backup.php#L961"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/trunk/wp-db-backup.php#L1568"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/tags/2.5.2/wp-db-backup.php#L121"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3510595/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Database Backup for WordPress \u003c= 2.5.2 - Missing Authorization to Unauthenticated Database Backup Interception"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4031",
"datePublished": "2026-05-14T12:32:02.352Z",
"dateReserved": "2026-03-12T00:34:09.270Z",
"dateUpdated": "2026-05-14T19:51:56.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4030 (GCVE-0-2026-4030)
Vulnerability from nvd – Published: 2026-05-14 12:32 – Updated: 2026-05-14 18:30
VLAI
Title
Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Arbitrary File Read and Deletion
Summary
The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized arbitrary file read and deletion in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check combined with a user-controlled backup directory parameter. This makes it possible for unauthenticated attackers to read and delete arbitrary files on the server, leading to Sensitive Information Exposure and potential site takeover. Note: This vulnerability is only exploitable in WordPress Multisite environments where the deprecated is_site_admin() function exists.
Severity
8.1 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpengine | Database Backup for WordPress |
Affected:
0 , ≤ 2.5.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4030",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T18:30:06.487780Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T18:30:42.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Database Backup for WordPress",
"vendor": "wpengine",
"versions": [
{
"lessThanOrEqual": "2.5.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized arbitrary file read and deletion in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check combined with a user-controlled backup directory parameter. This makes it possible for unauthenticated attackers to read and delete arbitrary files on the server, leading to Sensitive Information Exposure and potential site takeover. Note: This vulnerability is only exploitable in WordPress Multisite environments where the deprecated is_site_admin() function exists."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:32:04.381Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e21b550-e1c5-4e23-9999-16c837353da9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/tags/2.5.2/wp-db-backup.php#L1623"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/trunk/wp-db-backup.php#L157"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/trunk/wp-db-backup.php#L1632"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/trunk/wp-db-backup.php#L121"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3510595/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Database Backup for WordPress \u003c= 2.5.2 - Missing Authorization to Unauthenticated Arbitrary File Read and Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4030",
"datePublished": "2026-05-14T12:32:04.381Z",
"dateReserved": "2026-03-12T00:12:10.495Z",
"dateUpdated": "2026-05-14T18:30:42.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4029 (GCVE-0-2026-4029)
Vulnerability from nvd – Published: 2026-05-14 12:32 – Updated: 2026-05-14 15:57
VLAI
Title
Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Database Export
Summary
The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized database export in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check. This makes it possible for unauthenticated attackers to export database tables, leading to Sensitive Information Exposure. Note: This vulnerability is only exploitable in WordPress Multisite environments where the deprecated is_site_admin() function exists.
Severity
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpengine | Database Backup for WordPress |
Affected:
0 , ≤ 2.5.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4029",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T15:57:46.852987Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:57:55.982Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Database Backup for WordPress",
"vendor": "wpengine",
"versions": [
{
"lessThanOrEqual": "2.5.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized database export in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check. This makes it possible for unauthenticated attackers to export database tables, leading to Sensitive Information Exposure. Note: This vulnerability is only exploitable in WordPress Multisite environments where the deprecated is_site_admin() function exists."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:32:04.851Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d4a21d0d-f455-4901-a04b-13c891cf8f75?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/tags/2.5.2/wp-db-backup.php#L1623"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/trunk/wp-db-backup.php#L1632"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/trunk/wp-db-backup.php#L153"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3510595/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Database Backup for WordPress \u003c= 2.5.2 - Missing Authorization to Unauthenticated Database Export"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4029",
"datePublished": "2026-05-14T12:32:04.851Z",
"dateReserved": "2026-03-12T00:07:50.008Z",
"dateUpdated": "2026-05-14T15:57:55.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4029 (GCVE-0-2026-4029)
Vulnerability from cvelistv5 – Published: 2026-05-14 12:32 – Updated: 2026-05-14 15:57
VLAI
Title
Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Database Export
Summary
The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized database export in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check. This makes it possible for unauthenticated attackers to export database tables, leading to Sensitive Information Exposure. Note: This vulnerability is only exploitable in WordPress Multisite environments where the deprecated is_site_admin() function exists.
Severity
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpengine | Database Backup for WordPress |
Affected:
0 , ≤ 2.5.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4029",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T15:57:46.852987Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:57:55.982Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Database Backup for WordPress",
"vendor": "wpengine",
"versions": [
{
"lessThanOrEqual": "2.5.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized database export in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check. This makes it possible for unauthenticated attackers to export database tables, leading to Sensitive Information Exposure. Note: This vulnerability is only exploitable in WordPress Multisite environments where the deprecated is_site_admin() function exists."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:32:04.851Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d4a21d0d-f455-4901-a04b-13c891cf8f75?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/tags/2.5.2/wp-db-backup.php#L1623"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/trunk/wp-db-backup.php#L1632"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/trunk/wp-db-backup.php#L153"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3510595/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Database Backup for WordPress \u003c= 2.5.2 - Missing Authorization to Unauthenticated Database Export"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4029",
"datePublished": "2026-05-14T12:32:04.851Z",
"dateReserved": "2026-03-12T00:07:50.008Z",
"dateUpdated": "2026-05-14T15:57:55.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4030 (GCVE-0-2026-4030)
Vulnerability from cvelistv5 – Published: 2026-05-14 12:32 – Updated: 2026-05-14 18:30
VLAI
Title
Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Arbitrary File Read and Deletion
Summary
The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized arbitrary file read and deletion in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check combined with a user-controlled backup directory parameter. This makes it possible for unauthenticated attackers to read and delete arbitrary files on the server, leading to Sensitive Information Exposure and potential site takeover. Note: This vulnerability is only exploitable in WordPress Multisite environments where the deprecated is_site_admin() function exists.
Severity
8.1 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpengine | Database Backup for WordPress |
Affected:
0 , ≤ 2.5.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4030",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T18:30:06.487780Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T18:30:42.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Database Backup for WordPress",
"vendor": "wpengine",
"versions": [
{
"lessThanOrEqual": "2.5.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized arbitrary file read and deletion in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check combined with a user-controlled backup directory parameter. This makes it possible for unauthenticated attackers to read and delete arbitrary files on the server, leading to Sensitive Information Exposure and potential site takeover. Note: This vulnerability is only exploitable in WordPress Multisite environments where the deprecated is_site_admin() function exists."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:32:04.381Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e21b550-e1c5-4e23-9999-16c837353da9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/tags/2.5.2/wp-db-backup.php#L1623"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/trunk/wp-db-backup.php#L157"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/trunk/wp-db-backup.php#L1632"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/trunk/wp-db-backup.php#L121"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3510595/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Database Backup for WordPress \u003c= 2.5.2 - Missing Authorization to Unauthenticated Arbitrary File Read and Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4030",
"datePublished": "2026-05-14T12:32:04.381Z",
"dateReserved": "2026-03-12T00:12:10.495Z",
"dateUpdated": "2026-05-14T18:30:42.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4031 (GCVE-0-2026-4031)
Vulnerability from cvelistv5 – Published: 2026-05-14 12:32 – Updated: 2026-05-14 19:51
VLAI
Title
Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Database Backup Interception
Summary
The Database Backup for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.5.2. This is due to the plugin not restricting access to the wp_db_temp_dir parameter, which controls where database backups are written. This makes it possible for unauthenticated attackers to send a request to wp-cron.php with a poisoned wp_db_temp_dir value pointing to a publicly accessible directory (e.g., wp-content/uploads/), and if a scheduled backup is due, intercept the backup file before it is cleaned up. The backup file has a predictable name based on the database name, table prefix, date, and Swatch Internet Time, making interception reliable. Successful exploitation leads to Sensitive Information Exposure including database credentials, user password hashes, and personally identifiable information. This vulnerability requires that the site administrator has configured scheduled backups.
Severity
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpengine | Database Backup for WordPress |
Affected:
0 , ≤ 2.5.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4031",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T16:02:56.309388Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T19:51:56.623Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Database Backup for WordPress",
"vendor": "wpengine",
"versions": [
{
"lessThanOrEqual": "2.5.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Database Backup for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.5.2. This is due to the plugin not restricting access to the wp_db_temp_dir parameter, which controls where database backups are written. This makes it possible for unauthenticated attackers to send a request to wp-cron.php with a poisoned wp_db_temp_dir value pointing to a publicly accessible directory (e.g., wp-content/uploads/), and if a scheduled backup is due, intercept the backup file before it is cleaned up. The backup file has a predictable name based on the database name, table prefix, date, and Swatch Internet Time, making interception reliable. Successful exploitation leads to Sensitive Information Exposure including database credentials, user password hashes, and personally identifiable information. This vulnerability requires that the site administrator has configured scheduled backups."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:32:02.352Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/36615cae-418f-48b0-ba69-b54515cbe1d7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/trunk/wp-db-backup.php#L121"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/trunk/wp-db-backup.php#L85"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/trunk/wp-db-backup.php#L961"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/trunk/wp-db-backup.php#L1568"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-db-backup/tags/2.5.2/wp-db-backup.php#L121"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3510595/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Database Backup for WordPress \u003c= 2.5.2 - Missing Authorization to Unauthenticated Database Backup Interception"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4031",
"datePublished": "2026-05-14T12:32:02.352Z",
"dateReserved": "2026-03-12T00:34:09.270Z",
"dateUpdated": "2026-05-14T19:51:56.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}