WordPress Plugin Vulnerabilities

BackupWordPress 3.12 - Subscriber+ Backup Disclosure

Description

The plugin does not have authorisation in the heartbeat AJAX action used during a backup progress, allowing any authenticated users, such as subscriber to call it and retrieve backup paths and download them

Affects Plugins

Plugin icon
backupwordpress
Fixed in 3.13

References

CVE
CVE-2022-4931

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Ramuel Gall
Verified
No
WPVDB ID
240b5fdf-c581-4cea-aa9a-dcfaf72b7ad9

Timeline

Publicly Published
2022-02-23 (about 4 years ago)
Added
2023-03-07 (about 3 years ago)
Last Updated
2023-03-07 (about 3 years ago)

Other

Published
Title
Published
2025-04-07
Title
Specia Companion <= 6.2 - Missing Authorization
Published
2024-02-14
Title
EventPrime – Events Calendar, Bookings and Tickets < 3.4.2 - Missing Authorization to Authenticated (Subscriber+) Event Export
Published
2026-01-27
Title
ELEX WordPress HelpDesk & Customer Ticketing System < 3.3.6 - Missing Authorization
Published
2024-03-29
Title
SP Project & Document Manager <= 4.70 - Missing Authorization Stored Cross-Site Scripting
Published
2022-03-14
Title
Amelia < 1.0.48 - Customer+ SMS Service Abuse and Sensitive Data Disclosure