BackWPup < 5.6.3 – BackWPup Helper+ Privilege Escalation via Arbitrary Options Update | CVE 2025-15041 | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function. This makes it possible for authenticated attackers, with BackWPup Helper level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Affects Plugins

Fixed in 5.6.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2ab8f440-2910-41a3-8bbc-afb4cafd33b5

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

0N0ise

Verified

No

WPVDB ID

fd2ef900-fc69-4760-86da-cbd1ac01c844

Timeline

Publicly Published

2026-02-18 (about 2 months ago)

Added

2026-02-18 (about 2 months ago)

Last Updated

2026-02-18 (about 2 months ago)

Other

Published

Title

Published

2022-11-28

Title

Directorist < 7.4.4 - Subscriber+ Sensitive Information Disclosure

Published

2026-03-31

Title

Simple Membership < 4.7.2 - Missing Authorization

Published

2024-04-25

Title

KB Support < 1.6.1 - Missing Authorization

Published

2025-10-06

Title

MSN Partner Hub <= 2.8.7 - Missing Authorization

Published

2026-02-13

Title

Smart Forms < 2.6.101 - Missing Authorization to Authenticated (Subscriber+) Campaign Data Exposure