cleantalk
Vulnerabilities and Security Researches

BackWPup – WordPress Backup Plugin, CVE-2025-10579

CVE, Research URL

CVE-2025-10579

Home page URL

Security reports for BackWPup – WordPress Backup Plugin

Application

BackWPup – WordPress Backup Plugin

Published on
Oct 25, 2025
Research Description
The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'backwpup_working' AJAX action in all versions up to, and including, 5.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve access to a back-up's filename while a backup is running. This information has little value on it's own, but could be used to aid in a brute force attack to retrieve back-up contents in limited environments (i.e. NGINX).
Affected versions
max 5.5.1.
Status
vulnerable
Previous vulnerability researches
Next Page, Not Next Post (CVE-2025-62943) , Nov 10, 2025
New vulnerability
WP Geo (CVE-2025-62904) , Nov 11, 2025
Emails Catch All (CVE-2025-60041) , Nov 11, 2025
SH Contextual Help (CVE-2025-12410) , Nov 11, 2025
Document Embedder (CVE-2025-12384) , Nov 11, 2025
WP VR – 360 Panorama and Virtual Tour Builder For WordPress (CVE-2025-12005) , Nov 11, 2025