WordPress Plugin Vulnerabilities

Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin < 2.3.9 - Missing Authorization to Unauthenticated Backup Failure

Description

The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the process_status_unlink() function in all versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers to delete the back-up progress files and cause a back-up to fail while it is in progress.

Affects Plugins

Plugin icon
everest-backup
Fixed in 2.3.9

References

CVE
CVE-2025-10304
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f7d7c619-7dc0-47a5-a203-6df4dfa0158b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Jonas Benjamin Friedli
Verified
No
WPVDB ID
a022653c-76ec-47fb-aaae-e3a2689308f7

Timeline

Publicly Published
2025-12-02 (about 6 months ago)
Added
2025-12-02 (about 6 months ago)
Last Updated
2025-12-03 (about 6 months ago)

Other

Published
Title
Published
2025-05-07
Title
Bulk Featured Image <= 1.2.4 - Missing Authorization
Published
2023-11-13
Title
Simple 301 Redirects by BetterLinks < 2.0.8 - Missing Authorization via clicked
Published
2025-01-16
Title
WordPress Graphs & Charts <= 2.0.8 - Missing Authorization
Published
2026-03-23
Title
Tutor LMS Pro < 3.9.9 - Missing Authorization
Published
2024-07-19
Title
WooCommerce - Social Login < 2.7.4 - Missing Authorization to Unauthenticated Privilege Escalation