Backup plugins occupy one of the most privileged positions in the WordPress ecosystem. By design, they need deep access to your files, database, and server — which makes them prime targets when vulnerabilities creep in. An attacker who exploits a flaw in your backup plugin doesn't just read a comment or redirect a link; they can exfiltrate your entire database, overwrite core files, or take over your site completely.
We queried the WP-Safety vulnerability database — ranked by total CVE count — and pulled detailed records on every plugin in the top 10. What follows is a data-driven audit of the backup plugins most in need of your attention, complete with real CVSS scores, vulnerability types, and patch timelines. All plugins on this list are currently fully patched, but their historical track records reveal patterns every site owner should understand.
⚠️ Audit Prompt: If any of the plugins below are installed on your site, check that you are running the latest version. Every CVE listed here has a patched version — there is no excuse to run anything older.
The Ranked List at a Glance
| Rank | Plugin | CVEs | Security Score | Active Installs | Last Vuln |
|---|---|---|---|---|---|
| #1 | WPvivid Backup & Migration | 26 | 75/100 | 900,000 | Feb 2026 |
| #2 | Jetpack | 24 | 87/100 | 3,000,000 | Dec 2024 |
| #3 | XCloner | 16 | 76/100 | 10,000 | Dec 2025 |
| #4 | Duplicator | 15 | 87/100 | 1,000,000 | Jul 2024 |
| #5 | InstaWP Connect | 15 | 76/100 | 30,000 | Dec 2025 |
| #6 | UpdraftPlus | 14 | 90/100 | 3,000,000 | Jan 2025 |
| #7 | All-in-One WP Migration | 13 | 90/100 | 5,000,000 | Aug 2025 |
| #8 | WP Database Backup | 13 | 87/100 | 30,000 | Jan 2025 |
| #9 | Backup Migration | 12 | 77/100 | 100,000 | Nov 2025 |
| #10 | BackWPup | 10 | 83/100 | 500,000 | Feb 2026 |
Deep Dives: Plugin-by-Plugin CVE Analysis
#1 — WPvivid: Backup, Migration & Staging
| Metric | Value |
|---|---|
| Active Installs | 900,000 |
| Total CVEs | 26 |
| Unpatched CVEs | 0 |
| Security Score | 75 / 100 |
| Most Recent Vuln | February 10, 2026 |
WPvivid tops this list by a significant margin — 26 CVEs recorded and a security score of just 75/100 — and it earned its place with a frightening CVSS 9.8 critical vulnerability disclosed as recently as February 2026. That flaw (affecting versions ≤ 0.9.123) allowed unauthenticated arbitrary file upload, meaning any anonymous visitor on the internet could upload a malicious PHP shell and achieve full remote code execution — no account required.
5 Most Recent Vulnerabilities:
| Severity | Title | CVSS | Type | Patched In |
|---|---|---|---|---|
| 🔴 Critical | Unauthenticated Arbitrary File Upload | 9.8 | Unrestricted File Upload | 0.9.124 |
| 🟢 Low | Authenticated (Admin+) Arbitrary Directory Creation | 2.7 | External Control of File Path | 0.9.121 |
| 🟠 High | Authenticated (Admin+) Arbitrary File Upload | 7.2 | Unrestricted File Upload | 0.9.117 |
| 🟠 High | Arbitrary File Upload via wpvivid_upload_file | 7.2 | Unrestricted File Upload | 0.9.113 |
| 🟡 Medium | Missing Authorization | 5.3 | Missing Authorization | 0.9.107 |
The Pattern: WPvivid has a deeply recurring problem with file upload controls. Four of its five most recent CVEs involve some variant of unrestricted file upload or path manipulation. This is not a one-off coding mistake — it reflects a systemic gap in how the plugin validates and sanitizes upload operations. The February 2026 critical flaw is particularly alarming because it required zero authentication, placing all 900,000 active sites at immediate risk until patching.
Verdict: High-volume installs + lowest security score on the list + a pattern of critical unauthenticated vulnerabilities = the highest-priority plugin to audit today. Ensure you are on version 0.9.124 or later.
#2 — Jetpack – WP Security, Backup, Speed, & Growth
| Metric | Value |
|---|---|
| Active Installs | 3,000,000 |
| Total CVEs | 24 |
| Unpatched CVEs | 0 |
| Security Score | 87 / 100 |
| Most Recent Vuln | December 4, 2024 |
Jetpack lands at #2 with 24 CVEs and an exposure footprint of 3 million active sites — making the raw scale of risk here larger than nearly any other plugin on the web. To Automattic's credit, the security score holds at 87/100 and all issues have been patched, but the sheer breadth of functionality (backup, WAF, CDN, social, stats) means a proportionally large attack surface.
5 Most Recent Vulnerabilities:
| Severity | Title | CVSS | Type | Patched In |
|---|---|---|---|---|
| 🟡 Medium | Reflected DOM-based Cross-Site Scripting (v13.0–14.0) | 6.1 | XSS | 14.1 |
| 🟡 Medium | Unauthenticated Arbitrary Block & Shortcode Execution | 6.5 | Authorization Bypass | 13.8 |
| 🟡 Medium | Missing Authorization → Sensitive Information Disclosure | 4.3 | Missing Authorization | 10.0.2 |
| 🟡 Medium | Contributor+ Stored XSS via wpvideo Shortcode | 6.4 | Stored XSS | 13.4 |
| 🟡 Medium | Contributor+ Stored XSS via Block Attribute | 6.4 | Stored XSS | 12.8-a.3 |
The Pattern: Jetpack's recent CVE history clusters firmly in the medium severity band — a sign of a mature security response process catching issues before they become critical. The most concerning recent entry is the unauthenticated shortcode/block execution bug (CVSS 6.5), which could allow anonymous visitors to trigger arbitrary WordPress actions. The cluster of Contributor-level XSS vulnerabilities is also a reminder that even low-trust authenticated roles can be weaponized.
Verdict: Jetpack's high install count demands vigilance. The good news is its 87/100 score and rapid patch cadence reflect a vendor that takes security seriously. Keep auto-updates enabled and stay on the latest release.
#3 — XCloner: Backup, Restore and Migrate
| Metric | Value |
|---|---|
| Active Installs | 10,000 |
| Total CVEs | 16 |
| Unpatched CVEs | 0 |
| Security Score | 76 / 100 |
| Most Recent Vuln | December 4, 2025 |
XCloner is a smaller plugin by install count — just 10,000 sites — but its security score of 76/100 and 16 CVEs paint a troubling picture for the users who rely on it. Its vulnerability history stretches back to critical CSRF and authorization bypass issues that previously scored a perfect 9.8.
5 Most Recent Vulnerabilities:
| Severity | Title | CVSS | Type | Patched In |
|---|---|---|---|---|
| 🟡 Medium | CSRF in Xcloner_Remote_Storage::save() | 4.3 | CSRF | 4.8.3 |
| 🟡 Medium | Unauthenticated Full Path Disclosure | 5.3 | Information Exposure | 4.7.4 |
| 🔴 Critical | Unauthenticated Plugin Settings Reset | 9.8 | Missing Authorization | 4.3.6 |
| 🟠 High | Unprotected AJAX Actions | 8.8 | Missing Authorization | 4.2.153 |
| 🔴 Critical | Cross-Site Request Forgery (Full Impact) | 9.8 | CSRF | 4.2.153 |
The Pattern: XCloner has historically suffered from catastrophic authorization failures — two separate CVSS 9.8 vulnerabilities, plus an 8.8 AJAX exposure, all rooted in the same root cause: inadequate access controls on sensitive plugin actions. While recent CVEs are less severe, the low security score suggests the codebase still warrants scrutiny.
Verdict: Given its small user base, XCloner lacks the community pressure that forces rapid security improvements in larger plugins. If you're using it, seriously evaluate whether a more actively maintained alternative better serves your needs.
#4 — Duplicator: Backups & Migration Plugin
| Metric | Value |
|---|---|
| Active Installs | 1,000,000 |
| Total CVEs | 15 |
| Unpatched CVEs | 0 |
| Security Score | 87 / 100 |
| Most Recent Vuln | July 10, 2024 |
Duplicator is a beloved migration tool with 1 million installs, but it carries 15 CVEs and two documented instances of CVSS 9.8 critical vulnerabilities — including an unauthenticated remote code execution (RCE) flaw that is among the most dangerous vulnerability classes in existence.
5 Most Recent Vulnerabilities:
| Severity | Title | CVSS | Type | Patched In |
|---|---|---|---|---|
| 🟡 Medium | Full Path Disclosure | 5.3 | Information Exposure | 1.5.10 |
| 🟡 Medium | CSRF via diagnostics/information.php | 4.3 | CSRF | 1.5.7.1 |
| 🔴 Critical | Unauthenticated Remote Code Execution | 9.8 | Code Injection | 1.3.0 |
| 🔴 Critical | Unauthenticated Sensitive Information Exposure | 9.8 | Information Exposure | 1.5.7.1 |
| 🟠 High | Sensitive Information Disclosure | 7.5 | Information Exposure | 1.4.7.1 |
The Pattern: Duplicator has a recurrent theme of information exposure — backup packages and sensitive configuration data leaking to unauthenticated users. The installer workflow, which by design leaves a installer.php file accessible, has historically been a significant attack vector. The archived unauthenticated RCE (pre-1.3.0) is a textbook example of why you should never leave old installer files on a production server.
Verdict: Duplicator has improved markedly (87/100 score) and no vulnerabilities have been disclosed since July 2024. Always delete installer files immediately after migration and keep the plugin current.
#5 — InstaWP Connect: 1-click WP Staging & Migration
| Metric | Value |
|---|---|
| Active Installs | 30,000 |
| Total CVEs | 15 |
| Unpatched CVEs | 0 |
| Security Score | 76 / 100 |
| Most Recent Vuln | December 12, 2025 |
InstaWP Connect is alarming precisely because it is a newer plugin that has already accumulated 15 CVEs — including three CVSS 9.8 or 8.8 flaws disclosed in early 2025 alone. The velocity of critical vulnerabilities in a short window is a major red flag.
5 Most Recent Vulnerabilities:
| Severity | Title | CVSS | Type | Patched In |
|---|---|---|---|---|
| 🟡 Medium | Missing Authorization | 5.3 | Missing Authorization | 0.1.2.0 |
| 🟠 High | Unauthenticated Local PHP File Inclusion | 8.1 | Path Traversal | 0.1.0.86 |
| 🔴 Critical | Unauthenticated Local File Inclusion | 9.8 | PHP File Inclusion | 0.1.0.83 |
| 🟠 High | CSRF to Local File Inclusion | 8.8 | CSRF + LFI | 0.1.0.84 |
| 🔴 Critical | Authentication Bypass to Admin | 9.8 | Auth Bypass | 0.1.0.45 |
The Pattern: Local File Inclusion (LFI) vulnerabilities appear twice in five CVEs, and an authentication bypass to admin flaw (CVSS 9.8) means attackers could gain full administrative access without any credentials. This combination — auth bypass plus file inclusion — represents some of the most dangerous primitives in web application security. The frequency of patching (multiple patch versions issued within days of each other in March 2025) suggests the codebase was under active exploitation pressure.
Verdict: InstaWP's 76/100 score and velocity of critical CVEs makes it the highest-risk plugin per unit of install base on this list. Monitor its changelog obsessively and consider deactivating it on production sites when not actively in use.