BackWPup < 5.6.7 – Admin+ Local File Inclusion via 'block_name' Parameter | CVE 2026-6227 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint due to a non-recursive `str_replace()` sanitization of path traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to include arbitrary PHP files on the server via crafted traversal sequences (e.g., `....//`), which can be leveraged to read sensitive files such as `wp-config.php` or achieve remote code execution in certain configurations. Administrators have the ability to grant individual users permission to handle backups, which may then allow lower-level users to exploit this vulnerability.

Affects Plugins

Fixed in 5.6.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/084e3f78-275b-4692-9cce-e17074f55cfb

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Pixel_DefaultBR

Verified

No

WPVDB ID

9c482683-a38f-4eeb-90d0-cf1d24b2c333

Timeline

Publicly Published

2026-04-13 (about 1 month ago)

Added

2026-04-13 (about 1 month ago)

Last Updated

2026-04-13 (about 1 month ago)

Other

Published

Title

Published

2025-11-12

Title

Data Tables Generator by Supsystic < 1.10.46 - Authenticated (Admin+) Arbitrary File Deletion

Published

2026-02-16

Title

WP Maps < 4.8.7 - Subscriber+ Limited Local File Inclusion

Published

2024-07-09

Title

Jobmonster < 4.7.5 - Unauthenticated Arbitrary File Deletion

Published

2024-12-17

Title

WPLMS < 1.9.9.5.2 - Authenticated (Subscriber+) Arbitrary File Deletion

Published

2026-02-04

Title

ShortPixel Image Optimizer < 6.4.3 - Authenticated (Editor+) Arbitrary File Read via 'loadFile' Parameter