WP-Safety

BackWPup – WordPress Backup & Restore Plugin Security & Risk Analysis

wordpress.org/plugins/backwpup

Create a complete WordPress backup easily. Schedule automatic backups, store securely, and restore effortlessly with the best WordPress backup plugin!

500K active installs v5.6.6 PHP 7.4+ WP 4.9+ Updated Mar 5, 2026
backupcloud-backupdatabase-backuprestorewordpress-backup
83
B · Generally Safe
CVEs total10
Unpatched0
Last CVEFeb 18, 2026
Plugin page Download
Safety Verdict

Is BackWPup – WordPress Backup & Restore Plugin Safe to Use in 2026?

Mostly Safe

Score 83/100

BackWPup – WordPress Backup & Restore Plugin is generally safe to use. 10 past CVEs were resolved. Keep it updated.

10 known CVEsLast CVE: Feb 18, 2026Updated 1mo ago
Risk Assessment

BackWPup v5.6.6 presents a mixed security posture. While the plugin demonstrates good practices in areas like SQL prepared statements and output escaping, a significant concern arises from its attack surface. A considerable number of AJAX handlers lack proper authentication checks, creating potential entry points for unauthorized actions if exploited. The taint analysis, fortunately, did not reveal any critical or high severity unsanitized path flows, which is a positive sign. However, the plugin's vulnerability history is a major red flag. With 10 known CVEs, including one critical and five high-severity vulnerabilities, and common types like missing authorization, path traversal, and information exposure, it indicates a recurring pattern of security weaknesses. The presence of past critical and high-severity issues, despite the absence of currently unpatched vulnerabilities, suggests a need for heightened vigilance and potentially deeper code auditing. The last recorded vulnerability in 2026 also indicates a recent history of security issues, making proactive patching and hardening crucial.

Key Concerns

  • Unprotected AJAX handlers
  • High number of known CVEs
  • Past critical severity CVEs
  • Past high severity CVEs
  • Bundled library (Guzzle)
Vulnerabilities
10

BackWPup – WordPress Backup & Restore Plugin Security Vulnerabilities

CVEs by Year

2 CVEs in 2011
2011
1 CVE in 2013
2013
1 CVE in 2017
2017
2 CVEs in 2023
2023
2 CVEs in 2024
2024
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
High
5
Medium
3
Low
1

10 total CVEs

CVE-2025-15041high · 7.2Missing Authorization

BackWPup 5.0.0 - 5.6.2 - Authenticated (BackWPup Helper+) Privilege Escalation via Arbitrary Options Update

Feb 18, 2026 Patched in 5.6.3 (3d)
CVE-2025-10579medium · 5.3Missing Authorization

BackWPup 5 - 5.5.0 - Missing Authorization to Sensitive Information Exposure

Oct 24, 2025 Patched in 5.5.1 (5d)
CVE-2023-5505medium · 6.8Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

BackWPup <= 4.0.1 - Authenticated (Administrator+) Directory Traversal

Aug 16, 2024 Patched in 4.0.2 (1d)
CVE-2023-5775low · 2.2Plaintext Storage of a Password

BackWPup <= 4.0.2 - Plaintext Storage of Backup Destination Password

Feb 23, 2024 Patched in 4.0.3 (1d)
CVE-2023-7164high · 7.5Exposure of Sensitive Information to an Unauthorized Actor

BackWPup <= 4.0.3 - Sensitive Information Exposure

Dec 18, 2023 Patched in 4.0.4 (94d)
CVE-2023-5504high · 8.7Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

BackWPup <= 4.0.1 - Authenticated (Administrator+) Directory Traversal

Nov 22, 2023 Patched in 4.0.2 (62d)
CVE-2017-2551high · 7.5Files or Directories Accessible to External Parties

BackWPup <= 3.4.1 - Unauthenticated Backup Download

Sep 8, 2017 Patched in 3.4.2 (2328d)
CVE-2013-4626medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BackWPup < 3.0.13 - Cross-Site Scripting

Aug 21, 2013 Patched in 3.0.13 (3807d)
CVE-2011-4342critical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

BackWPup <= 1.7.1 - Remote File Inclusion

Mar 28, 2011 Patched in 1.7.2 (4684d)
CVE-2011-5208high · 7.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

BackWPup – WordPress Backup Plugin < 1.4.1 - Directory Traversal

Mar 2, 2011 Patched in 1.4.1 (4710d)
Code Analysis
Analyzed Mar 16, 2026

BackWPup – WordPress Backup & Restore Plugin Code Analysis

Dangerous Functions
1
Raw SQL Queries
9
86 prepared
Unescaped Output
150
1490 escaped
Nonce Checks
32
Capability Checks
69
File Operations
102
External Requests
16
Bundled Libraries
1

Dangerous Functions Found

assertassert($constraint instanceof ConstraintInterface);inc\dependencies\inpsyde\plugin-environment-checker\src\EnvironmentChecker.php:38

Bundled Libraries

Guzzle

SQL Query Safety

91% prepared95 total queries

Output Escaping

91% escaped1640 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

14 flows3 with unsanitized paths
create (inc\class-job.php:272)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

BackWPup – WordPress Backup & Restore Plugin Attack Surface

Entry Points10
Unprotected6

AJAX Handlers 6

authwp_ajax_backwpup_debug_infoinc\class-admin.php:281
authwp_ajax_backwpup_workinginc\class-admin.php:293
authwp_ajax_backwpup_cron_textinc\class-admin.php:294
authwp_ajax_backwpup_view_loginc\class-admin.php:295
authwp_ajax_download_backup_fileinc\class-admin.php:296
authwp_ajax_encrypt_key_handlerinc\class-admin.php:320

REST API Routes 4

POST/wp-json/backwpup/v1/startbackupsrc\Backups\API\Rest.php:94
POST/wp-json/backwpup/v1/process_bulk_actionssrc\Backups\API\Rest.php:122
GET/wp-json/backwpup/v1/getjobslistsrc\Jobs\Frontend\API\Rest.php:48
GET/wp-json/backwpup/v1/storagelistcompactsrc\StorageProviders\Frontend\API\Rest.php:50
WordPress Hooks 72
actionplugins_loadedbackwpup.php:74
actionadmin_enqueue_scriptsinc\class-admin.php:682
filterbackwpup_admin_pagesinc\class-admin.php:1116
filterbackwpup_admin_pagesinc\class-admin.php:1117
filterbackwpup_admin_pagesinc\class-admin.php:1118
filterbackwpup_admin_pagesinc\class-admin.php:1119
filterbackwpup_admin_pagesinc\class-admin.php:1120
filterbackwpup_admin_pagesinc\class-admin.php:1123
filterbackwpup_admin_pagesinc\class-admin.php:1124
filterbackwpup_admin_pagesinc\class-admin.php:1127
actionnetwork_admin_menuinc\class-admin.php:1132
actionadmin_menuinc\class-admin.php:1134
actionadmin_enqueue_scriptsinc\class-admin.php:1136
actionadmin_enqueue_scriptsinc\class-admin.php:1143
filterplugin_row_metainc\class-admin.php:1151
filterplugin_action_links_backwpup/backwpup.phpinc\class-admin.php:1152
filterplugin_action_links_backwpup-pro/backwpup.phpinc\class-admin.php:1153
actionadmin_initinc\class-admin.php:1155
actionadmin_enqueue_scriptsinc\class-admin.php:1156
actionadmin_enqueue_scriptsinc\class-admin.php:1157
actionadmin_post_backwpupinc\class-admin.php:1159
actionadmin_post_backwpup_supportinc\class-admin.php:1161
filteradmin_footer_textinc\class-admin.php:1163
filterupdate_footerinc\class-admin.php:1164
actionshow_user_profileinc\class-admin.php:1166
actionedit_user_profileinc\class-admin.php:1167
actionprofile_updateinc\class-admin.php:1168
actionadmin_bar_menuinc\class-adminbar.php:28
actionwp_headinc\class-adminbar.php:29
actionshutdowninc\class-job.php:1879
filterbackwpup_wxr_export_skip_postmetainc\class-jobtype-wpexp.php:126
actionadmin_noticesinc\class-message-box.php:80
actionadmin_initinc\class-message-box.php:81
actionbackwpup_admin_messagesinc\Notice\Notice.php:82
actionadmin_enqueue_scriptsinc\Notice\Notice.php:103
filterbackwpup_exclusion_plugins_foldersinc\ThirdParty\Autoptimize.php:74
filterbackwpup_exclusion_plugins_cache_foldersinc\ThirdParty\Autoptimize.php:75
filterbackwpup_exclusion_plugins_foldersinc\ThirdParty\Breeze.php:84
filterbackwpup_exclusion_plugins_cache_foldersinc\ThirdParty\Breeze.php:85
filterbackwpup_exclusion_plugins_foldersinc\ThirdParty\HummingbirdPerformance.php:79
filterbackwpup_exclusion_plugins_cache_foldersinc\ThirdParty\HummingbirdPerformance.php:80
filterbackwpup_exclusion_plugins_foldersinc\ThirdParty\SGCachepress.php:71
filterbackwpup_exclusion_plugins_cache_foldersinc\ThirdParty\SGCachepress.php:72
filterbackwpup_exclusion_plugins_foldersinc\ThirdParty\W3TotalCache.php:79
filterbackwpup_exclusion_plugins_cache_foldersinc\ThirdParty\W3TotalCache.php:80
filterbackwpup_exclusion_plugins_foldersinc\ThirdParty\WPFastestCache.php:79
filterbackwpup_exclusion_plugins_cache_foldersinc\ThirdParty\WPFastestCache.php:80
filterbackwpup_exclusion_plugins_foldersinc\ThirdParty\WPOptimize.php:85
filterbackwpup_exclusion_plugins_cache_foldersinc\ThirdParty\WPOptimize.php:86
filterbackwpup_exclusion_plugins_foldersinc\ThirdParty\WPRocket.php:79
filterbackwpup_exclusion_plugins_cache_foldersinc\ThirdParty\WPRocket.php:80
filterbackwpup_exclusion_plugins_foldersinc\ThirdParty\WPSuperCache.php:71
filterbackwpup_exclusion_plugins_cache_foldersinc\ThirdParty\WPSuperCache.php:72
actionadmin_initsrc\Common\Database\Tables\AbstractTable.php:26
actioninitsrc\Common\Database\Tables\AbstractTable.php:27
actionswitch_blogsrc\Dependencies\BerlinDB\Database\Table.php:929
actionadmin_initsrc\Dependencies\BerlinDB\Database\Table.php:930
actionadmin_initsrc\Infrastructure\Restore\Restore.php:52
actionadmin_headsrc\Infrastructure\Restore\Restore.php:53
actionbackwpup_page_restoresrc\Infrastructure\Restore\Restore.php:54
actionbackwpup_page_restoresrc\Infrastructure\Restore\Restore.php:55
actionbackwpup_restore_upload_contentsrc\Infrastructure\Restore\TemplateLoader.php:116
actionbackwpup_restore_before_upload_contentsrc\Infrastructure\Restore\TemplateLoader.php:117
actionbackwpup_restore_before_main_contentsrc\Infrastructure\Restore\TemplateLoader.php:123
actionbackwpup_restore_main_contentsrc\Infrastructure\Restore\TemplateLoader.php:129
filterbackwpup_containersrc\Plugin\Plugin.php:83
actioninitsrc\Plugin\Plugin.php:127
actionwp_loadedsrc\Plugin\Plugin.php:197
actionbackwpup_cronsrc\Plugin\Plugin.php:200
actionbackwpup_check_cleanupsrc\Plugin\Plugin.php:201
actioninitsrc\Plugin\Plugin.php:278
filteruser_has_capsrc\Tracking\Tracking.php:423

Scheduled Events 18

backwpup_cron
backwpup_cron
backwpup_cron
backwpup_cron
backwpup_cron
backwpup_cron
backwpup_cron
backwpup_check_cleanup
backwpup_cron
backwpup_cron
backwpup_cron
backwpup_cron
backwpup_cron
backwpup_cron
backwpup_cron
backwpup_cron
backwpup_cron
backwpup_rsc_delete_segment_files
Maintenance & Trust

BackWPup – WordPress Backup & Restore Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 5, 2026
PHP min version7.4
Downloads22.7M

Community Trust

Rating80/100
Number of ratings1,316
Active installs500K
Alternatives

BackWPup – WordPress Backup & Restore Plugin Alternatives

Backuply – Backup, Restore, Migrate and Clone

Backuply – Backup, Restore, Migrate and Clone

backuply

A
90

Backup, restores, and migration with Backuply are fairly simple with a wide range of storage options from Local Backups, FTP to cloud options like AWS &hellip;

600K 5 CVEs
Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid

boldgrid-backup

A
95

Automated backups, remote backup to Amazon S3 and Google Drive, stop website crashes before they happen and more. Total Upkeep is the backup solution &hellip;

60K 6 CVEs
UpdraftPlus: WP Backup & Migration Plugin

UpdraftPlus: WP Backup & Migration Plugin

updraftplus

A
90

Backup, restore or migrate your WordPress website to another host or domain. Schedule backups or run manually. Migrate in minutes.

3.0M 14 CVEs
Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

duplicator

A
87

The best WordPress backup and migration plugin. Quickly and easily backup ,migrate, copy, move, or clone your site from one location to another.

1.0M 15 CVEs
WP Database Backup – Unlimited Database & Files Backup by Backup for WP

WP Database Backup – Unlimited Database & Files Backup by Backup for WP

wp-database-backup

A
87

Create & Restore Database Backup easily on single click. Manual or automated backups (backup to Dropbox, Google drive, Amazon s3,FTP,Email).

30K 13 CVEs
Developer Profile

BackWPup – WordPress Backup & Restore Plugin Developer Profile

WP Media

8 plugins · 2.0M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
1621 days
View full developer profile
Detection Fingerprints

How We Detect BackWPup – WordPress Backup & Restore Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/backwpup/assets/css/main.min.css/wp-content/plugins/backwpup/assets/js/backwpup-generate.js/wp-content/plugins/backwpup/assets/css/backwpup-admin.css/wp-content/plugins/backwpup/assets/js/backwpup-admin.js/wp-content/plugins/backwpup/assets/js/general.js/wp-content/plugins/backwpup/assets/js/vendor/clipboard.min.js
Script Paths
/wp-content/plugins/backwpup/assets/js/backwpup-generate.js/wp-content/plugins/backwpup/assets/js/backwpup-admin.js/wp-content/plugins/backwpup/assets/js/general.js/wp-content/plugins/backwpup/assets/js/vendor/clipboard.min.js
Version Parameters
backwpup/assets/css/main.min.css?ver=backwpup/assets/js/backwpup-generate.js?ver=backwpup/assets/css/backwpup-admin.css?ver=backwpup/assets/js/backwpup-admin.js?ver=backwpup/assets/js/general.js?ver=backwpup/assets/js/vendor/clipboard.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
backwpup_job_logbackwpup_job_run_info
HTML Comments
<!-- BackWPup Job --><!-- BackWPup Job Log --><!-- BackWPup Job Output --><!-- BackWPup Job Settings -->+1 more
Data Attributes
data-backwpup-job-iddata-backwpup-job-status
JS Globals
backwpupbackwpupApi
REST Endpoints
/wp-json/backwpup/v1/jobs/wp-json/backwpup/v1/jobs/(?P<id>\d+)
FAQ

Frequently Asked Questions about BackWPup – WordPress Backup & Restore Plugin