Backuply < 1.4.9 – Admin+ Arbitrary File Deletion | CVE 2025-10307 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete backup functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Affects Plugins

Fixed in 1.4.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0dd53fad-1bd7-41ed-95cb-205a9b421724

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Jonas Benjamin Friedli

Verified

No

WPVDB ID

b8560299-700a-46ab-be5d-0399683c49ca

Timeline

Publicly Published

2025-09-25 (about 7 months ago)

Added

2025-09-25 (about 7 months ago)

Last Updated

2025-09-25 (about 7 months ago)

Other

Published

Title

Published

2025-04-04

Title

Streamit < 4.0.2 - Authenticated (Subscriber+) Arbitrary File Download

Published

2025-07-10

Title

Pro Bulk Watermark Plugin for WordPress <= 2.0 - Authenticated (Subscriber+) Path Traversal

Published

2025-07-07

Title

Easy Video Player Wordpress & WooCommerce <= 10.0 - Unauthenticated Arbitrary File Download

Published

2026-04-02

Title

Perfmatters < 2.6.0 - Authenticated (Subscriber+) Arbitrary File Deletion via 'delete' Parameter

Published

2014-08-01

Title

Browser Rejector - Remote & Local File Inclusion