WordPress Plugin Vulnerabilities

Backup and Move <= 0.1 - Missing Authorization

Description

The Backup and Move plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
backup-and-move
No known fix

References

CVE
CVE-2025-53246
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5f4f07bf-192c-442f-ad68-fea1a84c5e87

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nguyen Xuan Chien
Verified
No
WPVDB ID
1ab5b463-af24-4543-b81d-877dddbce1fe

Timeline

Publicly Published
2025-06-07 (about 9 months ago)
Added
2025-12-11 (about 3 months ago)
Last Updated
2025-12-11 (about 3 months ago)

Other

Published
Title
Published
2023-11-28
Title
JetElements For Elementor < 2.6.13.1 - Missing Authorization to Unauthenticated Arbitrary Attachment Download
Published
2024-01-24
Title
Category Discount Woocommerce < 4.13 - Missing Authorization via wpcd_save_discount()
Published
2024-07-16
Title
Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin < 5.7.27 - Missing Authorization
Published
2022-07-26
Title
Automations By Autonami < 2.1.2 - Subscriber+ Automation Creation
Published
2026-01-27
Title
Directorist <= 8.5.8 - Missing Authorization