BackWPup is one of the most widely deployed WordPress backup plugins (500k+ installs), often used to create full site archives containing database dumps and wp-content files. Those archives frequently include highly sensitive secrets—database credentials from wp-config.php, authentication salts, plugin configuration tokens, and user password hashes. CVE-2025-10579 describes a high-impact exposure chain where any authenticated low-privileged user (e.g., Subscriber) can (1) read live backup logs through an unprotected AJAX endpoint, (2) learn the exact archive filename as soon as it is generated, and (3) download the full backup archive from a web-served directory whose per-site “random” subfolder is only six hex characters. This combination of missing authorization plus predictable resource location turns backup archives into an easily harvested target, enabling complete confidentiality compromise and rapid pivot to full administrative control.
| CVE | CVE-2025-10579 |
| Plugin Version | BackWPup 5 – 5.5.0 |
| Critical | High |
| All Time | 21 747 180 |
| Active installations | 500 000+ |
| Publicly Published | September 4, 2025 |
| Last Updated | September 4, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10579 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/backwpup/backwpup-550-missing-authorization-to-sensitive-information-exposure |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| September 3, 2025 | Plugin testing and vulnerability detection in the BackWPup – WordPress Backup & Restore Plugin have been completed |
| September 3, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 24, 2025 | Registered CVE-2025-10579 |
Discovery of the Vulnerability
The issue was discovered by analyzing the backwpup_working AJAX action (/wp-admin/admin-ajax.php?action=backwpup_working). This endpoint returns live log content to any logged-in user, without verifying capabilities or a CSRF nonce—an explicit CWE-862 (Missing Authorization) / CWE-200 (Information Exposure) condition. The log output reliably includes a line revealing the backup filename, e.g., [INFO] Backup file is: 2025-09-03_04-30-48_...tar. BackWPup stores generated archives under a web-accessible path:
/wp-content/uploads/backwpup/<hex>/backups/<filename>
where <hex> is only 6 hexadecimal characters (16,777,216 possibilities). When debug logging is enabled, the log may also reveal the absolute filesystem path, from which an attacker can directly derive the public URL with no brute force. Otherwise, the attacker can brute-force the 6-hex directory using parallel HEAD requests until the correct folder is found.
Understanding of Missing Auth attack’s
Backups are among the most sensitive assets on a WordPress site. Secure backup systems treat archives as privileged data and ensure that both logs and storage locations are access-controlled. WordPress plugins commonly fail in two ways: they expose operational endpoints (logs/status) without role checks, and they store artifacts in public folders like wp-content/uploads/ without access controls. When the artifact path includes a short or guessable token (here, six hex digits), it becomes a “security through obscurity” failure. This exact pattern has historically led to real-world breaches where attackers harvest database dumps and take over sites by extracting DB credentials and user hashes.
Exploiting the MissingAuth Vulnerability
To exploit CVE-2025-10579, an attacker with Subscriber+ cookies:
POC:
GET /wordpress/wp-admin/admin-ajax.php?action=backwpup_working HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Origin: http://127.0.0.1 Connection: keep-alive Cookie: Subscriber+ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin____
This vulnerability enables full site compromise on multi-user WordPress sites, even when Subscriber accounts are intended to be harmless. Real-world consequences include:
- Total confidentiality breach: Any user data, orders, emails, tokens, and plugin secrets included in archives can be exfiltrated.
- Rapid privilege escalation: DB credentials and salts enable attackers to reset admin passwords or craft authenticated sessions.
- SEO spam / defacement: Attackers can inject spam links or malicious redirects after gaining admin access.
- Compliance exposure: Leaked customer data can trigger GDPR/CCPA reporting obligations and regulatory penalties.
- Repeatable harvesting: Once the attacker automates polling and scanning, they can harvest every new backup run.
Recommendations for Improved Security
To remediate CVE-2025-10579 effectively:
- Protect the
backwpup_workingendpoint
- Add capability checks like
current_user_can('manage_options')or a plugin-specific capability. - Require a valid nonce for log retrieval and reject unauthenticated/low-privileged access.
- Stop serving backups from a public directory
- Store archives outside webroot (preferred).
- If stored in
uploads/, enforce server-side denies (Nginx/Apache) for/uploads/backwpup/. - Use expiring signed URLs if remote storage is required.
- Eliminate predictable paths
- Replace the 6-hex directory with a high-entropy, per-site secret (e.g., 128-bit random).
- Never log absolute file paths in user-accessible logs.
- Reduce backup sensitivity where possible
- Encrypt archives at rest.
- Avoid including secrets unless necessary and provide secure key management.
- Monitoring and incident response
- Alert on requests to
/uploads/backwpup/*/backups/*.tar. - Rotate DB credentials and salts if exposure is suspected; invalidate sessions and reset admin credentials.
By taking proactive measures to address CSRF vulnerabilities like CVE-2025-10579 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuth #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.