WordPress Plugin Vulnerabilities

Total Upkeep < 1.15.9 - Improper Authorization to Unauthenticated Arbitrary File Download

Description

The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check in all versions up to, and including, 1.15.8. This makes it possible for unauthenticated attackers to download arbitrary files using the plugin's CLI functionality.

Affects Plugins

Plugin icon
boldgrid-backup
Fixed in 1.15.9

References

CVE
CVE-2024-24869
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/159e14fc-0512-421a-8bbe-d16c0b04ddf9

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Yudistira Arya
Verified
No
WPVDB ID
e96721fc-64e3-4d5f-b669-dd549603a50b

Timeline

Publicly Published
2024-02-02 (about 2 years ago)
Added
2024-02-06 (about 2 years ago)
Last Updated
2024-02-06 (about 2 years ago)

Other

Published
Title
Published
2025-08-11
Title
WP Private Content Plus <= 3.6.2 - Unauthenticated Sensitive Information Exposure
Published
2024-02-08
Title
Passster – Password Protect Pages and Content < 4.2.6.3 - Missing Authorization to Sensitive Information Exposure
Published
2021-09-01
Title
Gutenberg Template Library & Redux Framework < 4.2.13 - Unauthenticated Sensitive Information Disclosure
Published
2025-10-02
Title
RestroPress – Online Food Ordering System < 3.2.2 - Unauthenticated Information Exposure to Authentication Bypass via Forged JWT
Published
2026-04-07
Title
Riaxe Product Customizer <= 2.4 - Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint