Search criteria
8 vulnerabilities found for Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin by everestthemes
CVE-2025-10304 (GCVE-0-2025-10304)
Vulnerability from nvd – Published: 2025-12-03 03:27 – Updated: 2025-12-03 14:44
VLAI?
Summary
The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the process_status_unlink() function in all versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers to delete the back-up progress files and cause a back-up to fail while it is in progress.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| everestthemes | Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin |
Affected:
* , ≤ 2.3.8
(semver)
|
Credits
Jonas Benjamin Friedli
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10304",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T14:43:59.973715Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T14:44:15.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin",
"vendor": "everestthemes",
"versions": [
{
"lessThanOrEqual": "2.3.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas Benjamin Friedli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the process_status_unlink() function in all versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers to delete the back-up progress files and cause a back-up to fail while it is in progress."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T03:27:15.009Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f7d7c619-7dc0-47a5-a203-6df4dfa0158b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3400800%40everest-backup\u0026new=3400800%40everest-backup\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-18T17:25:45.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-02T15:27:08.000+00:00",
"value": "Disclosed"
}
],
"title": "Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin \u003c= 2.3.8 - Missing Authorization to Unauthenticated Backup Failure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10304",
"datePublished": "2025-12-03T03:27:15.009Z",
"dateReserved": "2025-09-11T21:54:46.884Z",
"dateUpdated": "2025-12-03T14:44:15.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11380 (GCVE-0-2025-11380)
Vulnerability from nvd – Published: 2025-10-11 02:24 – Updated: 2025-10-14 14:14
VLAI?
Summary
The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'everest_process_status' AJAX action in all versions up to, and including, 2.3.5. This makes it possible for unauthenticated attackers to retrieve back-up file locations that can be subsequently accessed and downloaded. This does require a back-up to be running in order for an attacker to retrieve the back-up location.
Severity ?
5.9 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| everestthemes | Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin |
Affected:
* , ≤ 2.3.5
(semver)
|
Credits
Carl Pearson
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11380",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T13:42:22.572469Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T14:14:54.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin",
"vendor": "everestthemes",
"versions": [
{
"lessThanOrEqual": "2.3.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Carl Pearson"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027everest_process_status\u0027 AJAX action in all versions up to, and including, 2.3.5. This makes it possible for unauthenticated attackers to retrieve back-up file locations that can be subsequently accessed and downloaded. This does require a back-up to be running in order for an attacker to retrieve the back-up location."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-11T02:24:52.480Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/869d7cab-cf21-4168-b45d-1681c76d896c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3374193%40everest-backup\u0026new=3374193%40everest-backup\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-06T17:29:02.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-10T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Everest Backup \u003c= 2.3.5 - Missing Authorization to Unauthenticated Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11380",
"datePublished": "2025-10-11T02:24:52.480Z",
"dateReserved": "2025-10-06T17:13:51.116Z",
"dateUpdated": "2025-10-14T14:14:54.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10028 (GCVE-0-2024-10028)
Vulnerability from nvd – Published: 2024-11-05 23:28 – Updated: 2024-11-06 15:11
VLAI?
Summary
The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.13 via the exposed process stats file during the backup process. This makes it possible for unauthenticated attackers to obtain an archive file name and download the site's backup.
Severity ?
7.5 (High)
CWE
- CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| everestthemes | Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin |
Affected:
* , ≤ 2.2.13
(semver)
|
Credits
Flo
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:everestthemes:everest_backup:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "everest_backup",
"vendor": "everestthemes",
"versions": [
{
"lessThanOrEqual": "2.2.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10028",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-06T15:10:12.532701Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-06T15:11:04.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin",
"vendor": "everestthemes",
"versions": [
{
"lessThanOrEqual": "2.2.13",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Flo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.13 via the exposed process stats file during the backup process. This makes it possible for unauthenticated attackers to obtain an archive file name and download the site\u0027s backup."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T23:28:42.426Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b871957-a2b3-492f-b461-7040d9098b2b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/everest-backup/tags/2.2.13/inc/classes/class-backup-directory.php#L514"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-08T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-11-05T10:40:39.000+00:00",
"value": "Disclosed"
}
],
"title": "Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin \u003c= 2.2.13 - Sensitive Invormation Disclosure via procstat Log"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-10028",
"datePublished": "2024-11-05T23:28:42.426Z",
"dateReserved": "2024-10-16T10:28:55.295Z",
"dateUpdated": "2024-11-06T15:11:04.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52185 (GCVE-0-2023-52185)
Vulnerability from nvd – Published: 2023-12-31 16:50 – Updated: 2024-09-09 17:24
VLAI?
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Everestthemes Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin.This issue affects Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin: from n/a through 2.1.9.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Everestthemes | Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin |
Affected:
n/a , ≤ 2.1.9
(custom)
|
Credits
Joshua Chan (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:55:41.274Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/everest-backup/wordpress-everest-backup-plugin-2-1-9-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52185",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T17:23:36.565411Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T17:24:09.446Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "everest-backup",
"product": "Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin",
"vendor": "Everestthemes",
"versions": [
{
"changes": [
{
"at": "2.2.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.1.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Joshua Chan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Everestthemes Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026amp; Cloning Plugin.\u003cp\u003eThis issue affects Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026amp; Cloning Plugin: from n/a through 2.1.9.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Everestthemes Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin.This issue affects Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin: from n/a through 2.1.9.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-31T16:50:39.274Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/everest-backup/wordpress-everest-backup-plugin-2-1-9-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;2.2.0 or a higher version."
}
],
"value": "Update to\u00a02.2.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Everest Backup Plugin \u003c= 2.1.9 is vulnerable to Sensitive Data Exposure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-52185",
"datePublished": "2023-12-31T16:50:39.274Z",
"dateReserved": "2023-12-29T10:17:04.430Z",
"dateUpdated": "2024-09-09T17:24:09.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10304 (GCVE-0-2025-10304)
Vulnerability from cvelistv5 – Published: 2025-12-03 03:27 – Updated: 2025-12-03 14:44
VLAI?
Summary
The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the process_status_unlink() function in all versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers to delete the back-up progress files and cause a back-up to fail while it is in progress.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| everestthemes | Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin |
Affected:
* , ≤ 2.3.8
(semver)
|
Credits
Jonas Benjamin Friedli
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10304",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T14:43:59.973715Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T14:44:15.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin",
"vendor": "everestthemes",
"versions": [
{
"lessThanOrEqual": "2.3.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas Benjamin Friedli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the process_status_unlink() function in all versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers to delete the back-up progress files and cause a back-up to fail while it is in progress."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T03:27:15.009Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f7d7c619-7dc0-47a5-a203-6df4dfa0158b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3400800%40everest-backup\u0026new=3400800%40everest-backup\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-18T17:25:45.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-02T15:27:08.000+00:00",
"value": "Disclosed"
}
],
"title": "Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin \u003c= 2.3.8 - Missing Authorization to Unauthenticated Backup Failure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10304",
"datePublished": "2025-12-03T03:27:15.009Z",
"dateReserved": "2025-09-11T21:54:46.884Z",
"dateUpdated": "2025-12-03T14:44:15.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11380 (GCVE-0-2025-11380)
Vulnerability from cvelistv5 – Published: 2025-10-11 02:24 – Updated: 2025-10-14 14:14
VLAI?
Summary
The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'everest_process_status' AJAX action in all versions up to, and including, 2.3.5. This makes it possible for unauthenticated attackers to retrieve back-up file locations that can be subsequently accessed and downloaded. This does require a back-up to be running in order for an attacker to retrieve the back-up location.
Severity ?
5.9 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| everestthemes | Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin |
Affected:
* , ≤ 2.3.5
(semver)
|
Credits
Carl Pearson
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11380",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T13:42:22.572469Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T14:14:54.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin",
"vendor": "everestthemes",
"versions": [
{
"lessThanOrEqual": "2.3.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Carl Pearson"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027everest_process_status\u0027 AJAX action in all versions up to, and including, 2.3.5. This makes it possible for unauthenticated attackers to retrieve back-up file locations that can be subsequently accessed and downloaded. This does require a back-up to be running in order for an attacker to retrieve the back-up location."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-11T02:24:52.480Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/869d7cab-cf21-4168-b45d-1681c76d896c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3374193%40everest-backup\u0026new=3374193%40everest-backup\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-06T17:29:02.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-10T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Everest Backup \u003c= 2.3.5 - Missing Authorization to Unauthenticated Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11380",
"datePublished": "2025-10-11T02:24:52.480Z",
"dateReserved": "2025-10-06T17:13:51.116Z",
"dateUpdated": "2025-10-14T14:14:54.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10028 (GCVE-0-2024-10028)
Vulnerability from cvelistv5 – Published: 2024-11-05 23:28 – Updated: 2024-11-06 15:11
VLAI?
Summary
The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.13 via the exposed process stats file during the backup process. This makes it possible for unauthenticated attackers to obtain an archive file name and download the site's backup.
Severity ?
7.5 (High)
CWE
- CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| everestthemes | Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin |
Affected:
* , ≤ 2.2.13
(semver)
|
Credits
Flo
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:everestthemes:everest_backup:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "everest_backup",
"vendor": "everestthemes",
"versions": [
{
"lessThanOrEqual": "2.2.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10028",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-06T15:10:12.532701Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-06T15:11:04.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin",
"vendor": "everestthemes",
"versions": [
{
"lessThanOrEqual": "2.2.13",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Flo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.13 via the exposed process stats file during the backup process. This makes it possible for unauthenticated attackers to obtain an archive file name and download the site\u0027s backup."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T23:28:42.426Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b871957-a2b3-492f-b461-7040d9098b2b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/everest-backup/tags/2.2.13/inc/classes/class-backup-directory.php#L514"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-08T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-11-05T10:40:39.000+00:00",
"value": "Disclosed"
}
],
"title": "Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin \u003c= 2.2.13 - Sensitive Invormation Disclosure via procstat Log"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-10028",
"datePublished": "2024-11-05T23:28:42.426Z",
"dateReserved": "2024-10-16T10:28:55.295Z",
"dateUpdated": "2024-11-06T15:11:04.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52185 (GCVE-0-2023-52185)
Vulnerability from cvelistv5 – Published: 2023-12-31 16:50 – Updated: 2024-09-09 17:24
VLAI?
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Everestthemes Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin.This issue affects Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin: from n/a through 2.1.9.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Everestthemes | Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin |
Affected:
n/a , ≤ 2.1.9
(custom)
|
Credits
Joshua Chan (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:55:41.274Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/everest-backup/wordpress-everest-backup-plugin-2-1-9-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52185",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T17:23:36.565411Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T17:24:09.446Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "everest-backup",
"product": "Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin",
"vendor": "Everestthemes",
"versions": [
{
"changes": [
{
"at": "2.2.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.1.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Joshua Chan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Everestthemes Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026amp; Cloning Plugin.\u003cp\u003eThis issue affects Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026amp; Cloning Plugin: from n/a through 2.1.9.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Everestthemes Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin.This issue affects Everest Backup \u2013 WordPress Cloud Backup, Migration, Restore \u0026 Cloning Plugin: from n/a through 2.1.9.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-31T16:50:39.274Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/everest-backup/wordpress-everest-backup-plugin-2-1-9-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;2.2.0 or a higher version."
}
],
"value": "Update to\u00a02.2.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Everest Backup Plugin \u003c= 2.1.9 is vulnerable to Sensitive Data Exposure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-52185",
"datePublished": "2023-12-31T16:50:39.274Z",
"dateReserved": "2023-12-29T10:17:04.430Z",
"dateUpdated": "2024-09-09T17:24:09.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}