WordPress Plugin Vulnerabilities

Total Upkeep < 1.14.14 - Subscriber+ Backup Disclosure

Description

The plugin does not have authorisation in the heartbeat AJAX action used during a backup progress, allowing any authenticated users, such as subscriber to call it and retrieve backup paths and download them

Affects Plugins

Plugin icon
boldgrid-backup
Fixed in 1.14.14

References

CVE
CVE-2022-4932

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Chloe Chamberland
Verified
No
WPVDB ID
11c00f8e-8a23-4d9f-8dea-e92d2c450755

Timeline

Publicly Published
2022-02-24 (about 4 years ago)
Added
2023-03-07 (about 3 years ago)
Last Updated
2023-03-07 (about 3 years ago)

Other

Published
Title
Published
2024-04-25
Title
KB Support < 1.6.1 - Missing Authorization
Published
2025-12-31
Title
Hide Plugins <= 1.0.4 - Missing Authorization
Published
2025-05-29
Title
WPeMatico RSS Feed Fetcher < 2.8.4 - Missing Authorization
Published
2026-02-04
Title
Addonify – WooCommerce Wishlist < 2.0.16 - Missing Authorization to Unauthenticated Settings Update
Published
2025-12-11
Title
WP Fastest Cache Premium < 1.7.5 - Subscriber+ Blind Server-Side Request Forgery