vulnerability

WordPress Plugin: backwpup: CVE-2025-10579: Missing Authorization

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:M/Au:S/C:C/I:N/A:N)	Oct 24, 2025	Oct 27, 2025	Oct 30, 2025

Severity

CVSS

(AV:N/AC:M/Au:S/C:C/I:N/A:N)

Published

Oct 24, 2025

Added

Oct 27, 2025

Modified

Oct 30, 2025

Description

The BackWPup – WordPress Backup and Restore Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'backwpup_working' AJAX action in versions 5 through 5.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve access to a back-up's filename while a backup is running. This information has little value on it's own, but could be used to aid in a brute force attack to retrieve back-up contents in limited environments (i.e. NGINX).

Solution

backwpup-plugin-cve-2025-10579

References

URL-https://www.cve.org/CVERecord?id=CVE-2025-10579
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/1e9a1484-2000-47fa-9890-fa02eddabcd9?source=api-prod
CVE-2025-10579
https://attackerkb.com/topics/CVE-2025-10579
CWE-862

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today