Vulnerabilities and security researches forbackup-bolt backup-bolt

Nov 11, 2025

CVE, Research URL: CVE-2025-10306
Home page URL: Security reports for Backup Bolt
Application: Backup Bolt
Date: Oct 03, 2025
Research Description: The Backup Bolt plugin for WordPress is vulnerable to arbitrary file downloads and backup location writes in all versions up to, and including, 1.4.1 via the process_backup_batch() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to download directories outside of the webroot and write backup zip files to arbitrary locations.
Affected versions: max 1.4.1.
Status: vulnerable

CVE, Research URL: CVE-2023-53597
Home page URL: Security reports for Backup Bolt
Application: Backup Bolt
Date: Oct 04, 2025
Research Description: In the Linux kernel, the following vulnerability has been resolved: cifs: fix mid leak during reconnection after timeout threshold When the number of responses with status of STATUS_IO_TIMEOUT exceeds a specified threshold (NUM_STATUS_IO_TIMEOUT), we reconnect the connection. But we do not return the mid, or the credits returned for the mid, or reduce the number of in-flight requests. This bug could result in the server->in_flight count to go bad, and also cause a leak in the mids. This change moves the check to a few lines below where the response is decrypted, even of the response is read from the transform header. This way, the code for returning the mids can be reused. Also, the cifs_reconnect was reconnecting just the transport connection before. In case of multi-channel, this may not be what we want to do after several timeouts. Changed that to reconnect the session and the tree too. Also renamed NUM_STATUS_IO_TIMEOUT to a more appropriate name MAX_STATUS_IO_TIMEOUT.
Affected versions: max 1.5.0.
Status: vulnerable

Aug 22, 2025

CVE, Research URL: CVE-2025-49040
Home page URL: Security reports for Backup Bolt
Application: Backup Bolt
Date: Aug 27, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Backup Bolt allows Cross Site Request Forgery.This issue affects Backup Bolt: from n/a through 1.4.1.
Affected versions: max 1.4.1.
Status: vulnerable

Jun 11, 2024

CVE, Research URL: bc0c1fa51c016cd29c9a4fcba7b97da23cfc4c93
Home page URL: Security reports for Backup Bolt
Application: Backup Bolt
Date: Jul 18, 2023
Research Description: Backup Bolt [backup-bolt] < 1.2.0 WordPress Backup Bolt Plugin <= 1.1.3 is vulnerable to Cross Site Scripting (XSS) Update the WordPress Backup Bolt plugin to the latest available version (at least 1.2.0). Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Backup Bolt Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.2.0.
Affected versions: max 1.2.0.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2023-7236
Home page URL: Security reports for Backup Bolt
Application: Backup Bolt
Date: Mar 19, 2024
Research Description: The Backup Bolt WordPress plugin through 1.3.0 is vulnerable to Information Exposure via the unprotected access of debug logs. This makes it possible for unauthenticated attackers to retrieve the debug log which may contain information like system errors which could contain sensitive information.
Affected versions: max 1.4.0.
Status: vulnerable