cleantalk
Vulnerabilities and Security Researches

Backup Migration, CVE-2025-14944

CVE, Research URL

CVE-2025-14944

Home page URL

Security reports for Backup Migration

Application

Backup Migration

Published on
Apr 07, 2026
Research Description
The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion.
Affected versions
max 2.1.0.
Status
vulnerable
Previous vulnerability researches
Backup Migration , Apr 23, 2026
Backup Migration (CVE-2025-12394) , Dec 10, 2025
Backup Migration (CVE-2026-39480) , Apr 27, 2026
Backup Migration (CVE-2024-10932) , Jan 05, 2025
Backup Migration (CVE-2023-38514) , Jan 05, 2025
New vulnerability
IDPay Payment Gateway for Woocommerce (CVE-2026-34891) , Apr 27, 2026
Doppler Forms (CVE-2025-9544) , Apr 27, 2026
Acclectic Media Organizer (CVE-2025-48326) , Apr 27, 2026
Contact Form 7 reCAPTCHA (CVE-2025-8280) , Apr 27, 2026
Backup Migration (CVE-2026-39480) , Apr 27, 2026