Vulnerabilities and security researches forboldgrid-backup boldgrid-backup

Jun 07, 2024

CVE, Research URL: 03f561d4bedab4757f1463d04312a2b0f3638bcc
Home page URL: Security reports for Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Application: Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Date: Dec 15, 2020
Research Description: Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid [boldgrid-backup] < 1.14.10 WordPress Total Upkeep plugin <= 1.14.9 - Sensitive Information Disclosure vulnerability Sensitive Data Disclosure (Server IP Address, UID etc) vulnerability found by Wadeek in WordPress Total Upkeep plugin (versions <= 1.14.9).
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-24869
Home page URL: Security reports for Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Application: Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Date: May 17, 2024
Research Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in BoldGrid Total Upkeep allows Relative Path Traversal.This issue affects Total Upkeep: from n/a through 1.15.8.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-4932
Home page URL: Security reports for Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Application: Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Date: Mar 07, 2023
Research Description: The Total Upkeep plugin for WordPress is vulnerable to information disclosure in versions up to, and including 1.14.13. This is due to missing authorization on the heartbeat_received() function that triggers on WordPress heartbeat. This makes it possible for authenticated attackers, with subscriber-level permissions and above to retrieve back-up paths that can subsequently be used to download the back-up.
Affected versions: Min -, max -.
Status: vulnerable

Nov 28, 2024

CVE, Research URL: CVE-2024-9461
Home page URL: Security reports for Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Application: Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Date: Nov 26, 2024
Research Description: The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.6 via the cron_interval parameter. This is due to missing input validation and sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
Affected versions: Min -, max -.
Status: vulnerable

Feb 28, 2025

CVE, Research URL: CVE-2024-13907
Home page URL: Security reports for Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Application: Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Date: Feb 27, 2025
Research Description: The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.16.8 via the 'download' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Affected versions: Min -, max -.
Status: vulnerable

Mar 27, 2025

CVE, Research URL: CVE-2025-2257
Home page URL: Security reports for Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Application: Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Date: Mar 26, 2025
Research Description: The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.10 via the compression_level setting. This is due to the plugin using the compression_level setting in proc_open() without any validation. This makes it possible for authenticated attackers, with administrator-level access and above, to execute code on the server.
Affected versions: Min -, max -.
Status: vulnerable

Jul 12, 2025

CVE, Research URL: CVE-2025-34084
Home page URL: Security reports for Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Application: Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Date: Jul 09, 2025
Research Description: An unauthenticated information disclosure vulnerability exists in the WordPress Total Upkeep plugin (also known as BoldGrid Backup) prior to version 1.14.10. The plugin exposes multiple endpoints that allow unauthenticated users to retrieve detailed server configuration (env-info.php) and discover backup metadata (restore-info.json). These backups, which may include full SQL database dumps, are accessible without authentication if their paths are known or guessed. The restore-info.json endpoint discloses the absolute filesystem path of the latest backup, which attackers can convert into a web-accessible URL under wp-content/uploads/ and download. Extracting the database archive may yield credential hashes from the wp_users table, facilitating offline password cracking or credential stuffing attacks.
Affected versions: Min -, max -.
Status: vulnerable