WP-Safety

Backuply – Backup, Restore, Migrate and Clone Security & Risk Analysis

wordpress.org/plugins/backuply

Backup, restores, and migration with Backuply are fairly simple with a wide range of storage options from Local Backups, FTP to cloud options like AWS …

600K active installs v1.5.2 PHP 5.5+ WP 4.7+ Updated Feb 26, 2026
backupcloud-backupdatabase-backuprestorewordpress-backup
90
A · Safe
CVEs total5
Unpatched0
Last CVESep 25, 2025
Plugin page Download
Safety Verdict

Is Backuply – Backup, Restore, Migrate and Clone Safe to Use in 2026?

Generally Safe

Score 90/100

Backuply – Backup, Restore, Migrate and Clone has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Sep 25, 2025Updated 1mo ago
Risk Assessment

The Backuply plugin exhibits a mixed security posture. While it demonstrates good practices in using prepared statements for SQL queries and a high percentage of properly escaped output, significant concerns arise from its attack surface. A large number of unprotected AJAX handlers (24 out of 34) present a substantial entry point for attackers to potentially exploit vulnerabilities. The presence of the `unserialize` function, especially in conjunction with unsanitized paths identified in the taint analysis, raises red flags for potential remote code execution or arbitrary file read/write vulnerabilities. The plugin's historical vulnerability record, with 5 known CVEs including a critical and a high-severity issue, further exacerbates these concerns. The fact that the last vulnerability was in 2025-09-25, and there are currently no unpatched vulnerabilities, suggests a potential for past issues being fixed but also highlights the plugin's track record. Overall, the plugin's large attack surface and historical issues warrant careful consideration, despite some positive coding practices.

Key Concerns

  • Large number of unprotected AJAX handlers
  • Use of unserialize function
  • Taint flows with unsanitized paths
  • History of 5 known CVEs
  • History of 1 critical CVE
  • History of 1 high CVE
Vulnerabilities
5

Backuply – Backup, Restore, Migrate and Clone Security Vulnerabilities

CVEs by Year

4 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
3

5 total CVEs

CVE-2025-10307medium · 6.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Backuply – Backup, Restore, Migrate and Clone <= 1.4.8 - Authenticated (Admin+) Arbitrary File Deletion

Sep 25, 2025 Patched in 1.4.9 (1d)
CVE-2024-8669critical · 9.1Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Backuply – Backup, Restore, Migrate and Clone <= 1.3.4 - Authenticated (Admin+) SQL Injection

Sep 13, 2024 Patched in 1.3.5 (1d)
CVE-2024-2294medium · 4.9Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Backuply – Backup, Restore, Migrate and Clone <= 1.2.7 - Authenticated (Admin+) Directory Traversal

Mar 15, 2024 Patched in 1.2.8 (1d)
CVE-2024-0842high · 7.5Uncontrolled Resource Consumption

Backuply - Backup, Restore, Migrate and Clone <= 1.2.6 - Denial of Service

Feb 8, 2024 Patched in 1.2.7 (173d)
CVE-2024-0697medium · 6.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Backuply – Backup, Restore, Migrate and Clone <= 1.2.3 - Authenticated (Administrator+) Directory Traversal

Jan 26, 2024 Patched in 1.2.4 (186d)
Code Analysis
Analyzed Mar 16, 2026

Backuply – Backup, Restore, Migrate and Clone Code Analysis

Dangerous Functions
4
Raw SQL Queries
0
9 prepared
Unescaped Output
33
227 escaped
Nonce Checks
25
Capability Checks
9
File Operations
266
External Requests
9
Bundled Libraries
0

Dangerous Functions Found

unserialize$thisdb_tables = unserialize($data['exclude_db']);backup_ins.php:98
unserialize$var = @unserialize($str);functions.php:1591
unserialize$var = @unserialize($str);functions.php:1598
unserialize$thisdb_tables = unserialize($data['exclude_db']);restore_ins.php:3494

SQL Query Safety

100% prepared9 total queries

Output Escaping

87% escaped260 total outputs
Data Flows
7 unsanitized

Data Flow Analysis

9 flows7 with unsanitized paths
backuply_restore_curl (functions.php:1674)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
24 unprotected

Backuply – Backup, Restore, Migrate and Clone Attack Surface

Entry Points34
Unprotected24

AJAX Handlers 34

authwp_ajax_backuply_create_backupmain\ajax.php:22
authwp_ajax_backuply_stop_backupmain\ajax.php:23
authwp_ajax_backuply_download_backupmain\ajax.php:24
authwp_ajax_backuply_multi_backup_deletemain\ajax.php:25
authwp_ajax_backuply_check_statusmain\ajax.php:26
authwp_ajax_backuply_check_backup_statusmain\ajax.php:27
authwp_ajax_backuply_checkrestorestatus_actionmain\ajax.php:28
authwp_ajax_backuply_restore_curl_querymain\ajax.php:29
authwp_ajax_backuply_retry_htaccessmain\ajax.php:30
authwp_ajax_backuply_kill_proccessmain\ajax.php:31
authwp_ajax_backuply_get_loc_detailsmain\ajax.php:32
authwp_ajax_backuply_sync_backupsmain\ajax.php:33
noprivwp_ajax_backuply_restore_responsemain\ajax.php:34
noprivwp_ajax_backuply_update_serializationmain\ajax.php:35
authwp_ajax_backuply_creating_sessionmain\ajax.php:36
noprivwp_ajax_backuply_creating_sessionmain\ajax.php:37
authwp_ajax_backuply_last_logsmain\ajax.php:38
authwp_ajax_backuply_save_excludesmain\ajax.php:39
authwp_ajax_backuply_exclude_rule_deletemain\ajax.php:40
authwp_ajax_backuply_get_jstreemain\ajax.php:41
authwp_ajax_backuply_hide_backup_nagmain\ajax.php:42
authwp_ajax_backuply_get_restore_keymain\ajax.php:43
authwp_ajax_backuply_handle_backupmain\ajax.php:44
authwp_ajax_backuply_download_bcloudmain\ajax.php:45
authwp_ajax_backuply_update_quotamain\ajax.php:46
authwp_ajax_backuply_backup_uploadmain\ajax.php:47
noprivwp_ajax_backuply_restore_status_logmain\ajax.php:48
authwp_ajax_backuply_restore_status_logmain\ajax.php:49
authwp_ajax_backuply_close_litespeed_noticemain\ajax.php:50
authwp_ajax_backuply_close_update_noticemain\ajax.php:51
authwp_ajax_backuply_trial_promomain\ajax.php:52
authwp_ajax_bcloud_trialmain\ajax.php:55
authwp_ajax_backuply_verify_trialmain\ajax.php:56
authwp_ajax_backuply_trial_settingsmain\ajax.php:57
WordPress Hooks 21
actionplugins_loadedinit.php:81
actioninitinit.php:112
actionbackuply_clean_tmpinit.php:113
actionbackuply_update_quotainit.php:114
filtercron_schedulesinit.php:124
actionbackuply_backup_croninit.php:131
actionbackuply_timeout_checkinit.php:134
actionadmin_initmain\admin.php:7
actionadmin_menumain\admin.php:8
filterupload_mimesmain\admin.php:14
actionadmin_post_backuply_download_backupmain\admin.php:15
actionadmin_noticesmain\admin.php:28
actionadmin_noticesmain\admin.php:43
actionadmin_noticesmain\admin.php:73
actionadmin_noticesmain\admin.php:90
filtersoftaculous_plugin_update_noticemain\admin.php:91
actionadmin_noticesmain\admin.php:115
actionadmin_noticesmain\admin.php:138
actionadmin_noticesmain\admin.php:160
actionadmin_noticesmain\admin.php:181
actionbackuply_auto_backup_cronmain\bcloud-cron.php:8

Scheduled Events 7

backuply_update_quota
backuply_timeout_check
backuply_update_quota
backuply_timeout_check
backuply_clean_tmp
backuply_timeout_check
backuply_auto_backup_cron
Maintenance & Trust

Backuply – Backup, Restore, Migrate and Clone Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 26, 2026
PHP min version5.5
Downloads6.1M

Community Trust

Rating90/100
Number of ratings128
Active installs600K
Alternatives

Backuply – Backup, Restore, Migrate and Clone Alternatives

BackWPup – WordPress Backup & Restore Plugin

BackWPup – WordPress Backup & Restore Plugin

backwpup

B
83

Create a complete WordPress backup easily. Schedule automatic backups, store securely, and restore effortlessly with the best WordPress backup plugin!

500K 10 CVEs
Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid

boldgrid-backup

A
95

Automated backups, remote backup to Amazon S3 and Google Drive, stop website crashes before they happen and more. Total Upkeep is the backup solution &hellip;

60K 6 CVEs
UpdraftPlus: WP Backup & Migration Plugin

UpdraftPlus: WP Backup & Migration Plugin

updraftplus

A
90

Backup, restore or migrate your WordPress website to another host or domain. Schedule backups or run manually. Migrate in minutes.

3.0M 14 CVEs
Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

duplicator

A
87

The best WordPress backup and migration plugin. Quickly and easily backup ,migrate, copy, move, or clone your site from one location to another.

1.0M 15 CVEs
WP Database Backup – Unlimited Database & Files Backup by Backup for WP

WP Database Backup – Unlimited Database & Files Backup by Backup for WP

wp-database-backup

A
87

Create & Restore Database Backup easily on single click. Manual or automated backups (backup to Dropbox, Google drive, Amazon s3,FTP,Email).

30K 13 CVEs
Developer Profile

Backuply – Backup, Restore, Migrate and Clone Developer Profile

Softaculous

10 plugins · 4.1M total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
333 days
View full developer profile
Detection Fingerprints

How We Detect Backuply – Backup, Restore, Migrate and Clone

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/backuply/core/assets/js/backuply.js/wp-content/plugins/backuply/core/assets/css/backuply.css/wp-content/plugins/backuply/core/assets/css/backuply-custom.css
Script Paths
/wp-content/plugins/backuply/core/assets/js/backuply.js
Version Parameters
backuply/core/assets/css/backuply.css?ver=backuply/core/assets/js/backuply.js?ver=

HTML / DOM Fingerprints

CSS Classes
backuply-settings-mainbackuply-backup-btnbackuply-log-wrapperbackuply-modal-content
HTML Comments
<!-- Backuply Admin Init --><!-- Trial Promo --><!-- Trial Promo Ends here --><!-- Last Backup Notice Start -->+15 more
Data Attributes
data-backuply-modal-iddata-backuply-close-modal
JS Globals
backuply_optionsbackuply_ajax_url
FAQ

Frequently Asked Questions about Backuply – Backup, Restore, Migrate and Clone