BackWPup < 5.5.1 – Missing Authorization to Sensitive Information Exposure | CVE 2025-10579 | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized access of data due to a missing capability check on the 'backwpup_working' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve access to a back-up's filename while a backup is running. This information has little value on it's own, but could be used to aid in a brute force attack to retrieve back-up contents in limited environments (i.e. NGINX).

Affects Plugins

Fixed in 5.5.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1e9a1484-2000-47fa-9890-fa02eddabcd9

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

c5437657-e321-4a33-9a82-3c078c76d98e

Timeline

Publicly Published

2025-10-24 (about 6 months ago)

Added

2025-10-27 (about 6 months ago)

Last Updated

2025-10-27 (about 6 months ago)

Other

Published

Title

Published

2025-11-11

Title

Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images < 1.8.4 - Missing Authorization to Authenticated (Subscriber+) API Key Deletion

Published

2025-04-15

Title

Barcode Generator for WooCommerce < 2.0.5 - Authenticated (Subscriber+) Arbitrary Content Deletion

Published

2026-02-10

Title

Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) < 4.9.61 - Missing Authorization to Unauthenticated Arbitrary Attachment and Dropbox File Deletion

Published

2023-06-15

Title

CHP Ads Block Detector < 3.9.8 - Subscriber+ Plugin Settings Update

Published

2024-07-11

Title

WP Fast Total Search < 1.69.234 - Missing Authorization