vulnerability
WordPress Plugin: backupbuddy: CVE-2022-31474: External Control of File Name or Path
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:C/I:N/A:N) | Sep 6, 2022 | May 15, 2025 | Apr 30, 2026 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:C/I:N/A:N)
Published
Sep 6, 2022
Added
May 15, 2025
Modified
Apr 30, 2026
Description
The BackupBuddy plugin for WordPress is vulnerable to unauthenticated arbitrary file downloads via the 'local-download' found in the backupbuddy_local_download() function in versions 8.5.8.0 to 8.7.4.1. This is due to a missing capability check and nonce check on the affected function that is called via an admin_init hook along with insufficient file path validation on the supplied download file. This makes is possible for unauthenticated attackers to supply the complete path to a file, or use directory traversal techniques, to read any file hosted on the server. This includes sensitive files such as /etc/passwd and /wp-config.php.
Solution
backupbuddy-plugin-cve-2022-31474
References
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.