WordPress Plugin Vulnerabilities

Backup Migration < 2.1.0 - Missing Authorization to Unauthenticated Backup Upload to Offline Storage

Description

The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion.

Affects Plugins

Plugin icon
backup-backup
Fixed in 2.1.0

References

CVE
CVE-2025-14944
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a2a41a15-0743-48cc-8c92-7cb839fa5847

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
0N0ise
Verified
No
WPVDB ID
3be0dc38-e8a0-4578-a1f2-cc8a89d87f78

Timeline

Publicly Published
2026-04-06 (about 1 month ago)
Added
2026-04-07 (about 1 month ago)
Last Updated
2026-04-07 (about 1 month ago)

Other

Published
Title
Published
2024-09-04
Title
Geo Controller < 8.7.0 - Missing Authorization to Unauthenticated Shortcode Execution
Published
2025-12-31
Title
Core Web Vitals & PageSpeed Booster <= 1.0.27 - Missing Authorization
Published
2025-12-31
Title
Realbig <= 1.1.3 - Missing Authorization
Published
2025-03-31
Title
Google SEO Pressor Snippet <= 2.0 - Missing Authorization
Published
2024-09-24
Title
WP Free SSL – Free SSL Certificate for WordPress and force HTTPS <= 1.2.6 - Missing Authorization