WP-Safety

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid Security & Risk Analysis

wordpress.org/plugins/boldgrid-backup

Automated backups, remote backup to Amazon S3 and Google Drive, stop website crashes before they happen and more. Total Upkeep is the backup solution …

60K active installs v1.17.2 PHP 5.4+ WP 5.0+ Updated Mar 11, 2026
backupcloud-backupdatabase-backuprestorewordpress-backup
95
A · Safe
CVEs total6
Unpatched0
Last CVEMar 25, 2025
Plugin page Download
Safety Verdict

Is Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid Safe to Use in 2026?

Generally Safe

Score 95/100

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Mar 25, 2025Updated 22d ago
Risk Assessment

The "boldgrid-backup" plugin v1.17.2 exhibits a concerning security posture primarily due to its significant attack surface without adequate authentication checks. The static analysis reveals 31 AJAX handlers, all of which lack proper authorization, presenting a wide entry point for potential exploitation. While the code demonstrates some good practices like a high percentage of prepared SQL statements and proper output escaping, the sheer number of unprotected AJAX endpoints is a critical weakness. The presence of dangerous functions like `exec`, `passthru`, and `shell_exec` further amplifies this risk, as they can be leveraged for OS command injection if attackers can influence their input through the vulnerable AJAX handlers.

The vulnerability history is also a major red flag. The plugin has a history of 6 known CVEs, with a significant number of high and medium severity vulnerabilities including OS Command Injection, SSRF, and authorization bypasses. The fact that the last vulnerability was patched in March 2025, while the current version is v1.17.2, suggests that this specific version might not have had these historical vulnerabilities addressed, or that new ones have emerged since then. The pattern of these vulnerabilities points to potential weaknesses in input sanitization and authorization logic, which are directly reflected in the static analysis findings of unprotected AJAX endpoints and the presence of dangerous functions.

In conclusion, despite some positive aspects in its code, the "boldgrid-backup" plugin v1.17.2 poses a significant security risk. The large number of unprotected AJAX entry points, coupled with the historical prevalence of severe vulnerabilities such as OS Command Injection and authorization issues, necessitates extreme caution. While there are no critical taint flows reported, the combination of these factors creates a high-risk environment for any WordPress site utilizing this plugin without strict access controls and ongoing security monitoring.

Key Concerns

  • Large attack surface without auth (AJAX)
  • Dangerous functions present
  • History of High severity vulnerabilities
  • History of Medium severity vulnerabilities
  • Taint flows with unsanitized paths
Vulnerabilities
6

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid Security Vulnerabilities

CVEs by Year

1 CVE in 2020
2020
1 CVE in 2022
2022
2 CVEs in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
4
Medium
2

6 total CVEs

CVE-2025-2257high · 7.2Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid <= 1.16.10 - Authenticated (Admin+) Command Injection

Mar 25, 2025 Patched in 1.17.0 (1d)
CVE-2024-13907medium · 4.9Server-Side Request Forgery (SSRF)

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid <= 1.16.8 - Authenticated (Administrator+) Server-Side Request Forgery

Feb 26, 2025 Patched in 1.16.9 (1d)
CVE-2024-9461high · 7.2Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Total Upkeep <= 1.16.6 - Authenticated (Administrator+) Remote Code Execution via Backup Settings

Nov 26, 2024 Patched in 1.16.7 (1d)
CVE-2024-24869high · 7.5Improper Authorization

Total Upkeep <= 1.15.8 - Improper Authorization to Unauthenticated Arbitrary File Download

Feb 2, 2024 Patched in 1.15.9 (4d)
CVE-2022-4932medium · 4.3Missing Authorization

Total Upkeep <= 1.14.13 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure

Feb 24, 2022 Patched in 1.14.14 (698d)
CVE-2020-36848high · 7.5Exposure of Sensitive Information to an Unauthorized Actor

Total Upkeep by BoldGrid <= 1.14.9 - Unauthenticated Backup Download

Dec 14, 2020 Patched in 1.14.10 (1671d)
Code Analysis
Analyzed Mar 16, 2026

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid Code Analysis

Dangerous Functions
7
Raw SQL Queries
1
13 prepared
Unescaped Output
80
389 escaped
Nonce Checks
24
Capability Checks
30
File Operations
65
External Requests
14
Bundled Libraries
0

Dangerous Functions Found

execexec( $command, $out, $return_var );admin\class-boldgrid-backup-admin-cli.php:113
passthrupassthru( $command, $return_var );admin\class-boldgrid-backup-admin-cli.php:129
popen$handle = popen( $command, 'r' );admin\class-boldgrid-backup-admin-cli.php:145
proc_open$handle = proc_open( $command, $descriptorspec, $pipes );admin\class-boldgrid-backup-admin-cli.php:184
shell_exec$output = shell_exec( $command );admin\class-boldgrid-backup-admin-cli.php:213
systemsystem( $command, $return_var );admin\class-boldgrid-backup-admin-cli.php:226
proc_open$process = proc_open( //phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.system_calls_proc_openadmin\compressor\class-boldgrid-backup-admin-compressor-system-zip.php:354

SQL Query Safety

93% prepared14 total queries

Output Escaping

83% escaped469 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths
<class-boldgrid-backup-admin-migrate-util> (admin\migrate\class-boldgrid-backup-admin-migrate-util.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
31 unprotected

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid Attack Surface

Entry Points31
Unprotected31

AJAX Handlers 31

noprivwp_ajax_boldgrid_backup_process_direct_transferadmin\class-boldgrid-backup-admin-migrate.php:103
authwp_ajax_boldgrid_transfer_resync_databaseadmin\migrate\class-boldgrid-backup-admin-migrate-rx.php:140
authwp_ajax_boldgrid_backup_get_countdown_noticeincludes\class-boldgrid-backup.php:422
authwp_ajax_boldgrid_backup_get_protect_noticeincludes\class-boldgrid-backup.php:423
authwp_ajax_boldgrid_backup_get_progress_noticeincludes\class-boldgrid-backup.php:424
authwp_ajax_boldgrid_backup_nowincludes\class-boldgrid-backup.php:428
authwp_ajax_download_archive_fileincludes\class-boldgrid-backup.php:434
authwp_ajax_boldgrid_cancel_rollbackincludes\class-boldgrid-backup.php:452
noprivwp_ajax_boldgrid_cli_cancel_rollbackincludes\class-boldgrid-backup.php:458
authwp_ajax_boldgrid_backup_deadlineincludes\class-boldgrid-backup.php:474
authwp_ajax_boldgrid_backup_browse_archiveincludes\class-boldgrid-backup.php:513
authwp_ajax_boldgrid_backup_browse_archive_file_actionsincludes\class-boldgrid-backup.php:514
authwp_ajax_boldgrid_backup_browse_archive_restore_dbincludes\class-boldgrid-backup.php:515
authwp_ajax_boldgrid_backup_browse_archive_view_dbincludes\class-boldgrid-backup.php:516
authwp_ajax_boldgrid_backup_restore_archiveincludes\class-boldgrid-backup.php:518
authwp_ajax_boldgrid_backup_exclude_folders_previewincludes\class-boldgrid-backup.php:520
authwp_ajax_boldgrid_backup_generate_download_linkincludes\class-boldgrid-backup.php:528
authwp_ajax_boldgrid_backup_remote_storage_upload_ftpincludes\class-boldgrid-backup.php:535
authwp_ajax_boldgrid_backup_is_setup_ftpincludes\class-boldgrid-backup.php:541
authwp_ajax_boldgrid_backup_remote_storage_download_ftpincludes\class-boldgrid-backup.php:548
noprivwp_ajax_boldgrid_backup_run_jobsincludes\class-boldgrid-backup.php:565
noprivwp_ajax_boldgrid_backup_run_backupincludes\class-boldgrid-backup.php:566
noprivwp_ajax_boldgrid_backup_run_restoreincludes\class-boldgrid-backup.php:567
authwp_ajax_boldgrid_backup_downloadincludes\class-boldgrid-backup.php:570
noprivwp_ajax_boldgrid_backup_downloadincludes\class-boldgrid-backup.php:571
authwp_ajax_boldgrid_backup_url_uploadincludes\class-boldgrid-backup.php:577
authwp_ajax_boldgrid_backup_update_archive_detailsincludes\class-boldgrid-backup.php:585
authwp_ajax_boldgrid_backup_is_setup_localincludes\class-boldgrid-backup.php:589
authwp_ajax_dismissBoldgridNoticeincludes\class-boldgrid-backup.php:606
authwp_ajax_boldgrid_backup_view_logincludes\class-boldgrid-backup.php:637
authwp_ajax_boldgrid_backup_cancelincludes\class-boldgrid-backup.php:643
WordPress Hooks 97
actionshutdownadmin\class-boldgrid-backup-admin-archive-fail.php:71
filterautomatic_updater_disabledadmin\class-boldgrid-backup-admin-auto-updates.php:63
filterauto_update_coreadmin\class-boldgrid-backup-admin-auto-updates.php:286
filterallow_major_auto_core_updatesadmin\class-boldgrid-backup-admin-auto-updates.php:294
filterallow_minor_auto_core_updatesadmin\class-boldgrid-backup-admin-auto-updates.php:295
filterauto_update_translationadmin\class-boldgrid-backup-admin-auto-updates.php:296
filterallow_dev_auto_core_updatesadmin\class-boldgrid-backup-admin-auto-updates.php:297
filterboldgrid_backup_get_coreadmin\class-boldgrid-backup-admin-core.php:674
actionadmin_noticesadmin\class-boldgrid-backup-admin-core.php:926
actionshutdownadmin\class-boldgrid-backup-admin-restore-helper.php:95
actionshutdownadmin\class-boldgrid-backup-admin-restore-helper.php:187
actionadmin_noticesadmin\class-boldgrid-backup-admin-support.php:62
filterupload_diradmin\class-boldgrid-backup-admin-upload.php:296
actionshutdownadmin\class-boldgrid-backup-admin-xhprof.php:47
actionrest_api_initadmin\migrate\class-boldgrid-backup-admin-migrate-rx.php:142
actioninitadmin\migrate\class-boldgrid-backup-admin-migrate-rx.php:144
actionrest_api_initadmin\migrate\class-boldgrid-backup-admin-migrate-tx.php:129
actionadmin_footeradmin\partials\boldgrid-backup-admin-settings.php:120
filterdoing_it_wrong_trigger_errorincludes\class-boldgrid-backup.php:70
actionafter_setup_themeincludes\class-boldgrid-backup.php:382
actionadmin_enqueue_scriptsincludes\class-boldgrid-backup.php:395
actionadmin_noticesincludes\class-boldgrid-backup.php:406
actionshutdownincludes\class-boldgrid-backup.php:407
actionadmin_menuincludes\class-boldgrid-backup.php:410
actionboldgrid_backup_noticeincludes\class-boldgrid-backup.php:416
actionadmin_noticesincludes\class-boldgrid-backup.php:421
actioncore_upgrade_preambleincludes\class-boldgrid-backup.php:425
actionpre_auto_updateincludes\class-boldgrid-backup.php:440
actionadmin_noticesincludes\class-boldgrid-backup.php:446
actionadmin_noticesincludes\class-boldgrid-backup.php:464
actionupgrader_process_completeincludes\class-boldgrid-backup.php:468
actionboldgrid_backup_pre_restoreincludes\class-boldgrid-backup.php:479
actionboldgrid_backup_post_restoreincludes\class-boldgrid-backup.php:480
filterboldgrid_backup_post_restoreincludes\class-boldgrid-backup.php:481
actionboldgrid_backup_post_restore_htaccessincludes\class-boldgrid-backup.php:482
actionboldgrid_backup_post_restore_wpconfigincludes\class-boldgrid-backup.php:483
filterboldgrid_backup_restore_failincludes\class-boldgrid-backup.php:484
filterboldgrid_backup_cannnot_restore_git_objectsincludes\class-boldgrid-backup.php:486
filterboldgrid_backup_file_in_dirincludes\class-boldgrid-backup.php:488
filterunzip_file_use_ziparchiveincludes\class-boldgrid-backup.php:490
filtercron_schedulesincludes\class-boldgrid-backup.php:492
actionboldgrid_backup_wp_cron_backupincludes\class-boldgrid-backup.php:493
actionboldgrid_backup_wp_cron_restoreincludes\class-boldgrid-backup.php:494
actionboldgrid_backup_archive_files_initincludes\class-boldgrid-backup.php:496
actionwp_mail_failedincludes\class-boldgrid-backup.php:497
actionboldgrid_backup_wp_cron_run_jobsincludes\class-boldgrid-backup.php:499
actionadmin_enqueue_scriptsincludes\class-boldgrid-backup.php:501
filterplugins_loadedincludes\class-boldgrid-backup.php:503
actionboldgrid_backup_delete_localincludes\class-boldgrid-backup.php:505
actionboldgrid_backup_post_archive_filesincludes\class-boldgrid-backup.php:507
actionboldgrid_backup_post_archive_filesincludes\class-boldgrid-backup.php:508
actionboldgrid_backup_post_jobs_emailincludes\class-boldgrid-backup.php:509
actionboldgrid_backup_cron_fail_emailincludes\class-boldgrid-backup.php:511
actionadmin_initincludes\class-boldgrid-backup.php:522
actionadmin_initincludes\class-boldgrid-backup.php:524
actionadmin_initincludes\class-boldgrid-backup.php:526
actionboldgrid_backup_single_archive_remote_optionsincludes\class-boldgrid-backup.php:533
filterboldgrid_backup_register_storage_locationincludes\class-boldgrid-backup.php:537
actionadmin_menuincludes\class-boldgrid-backup.php:539
actionboldgrid_backup_post_archive_filesincludes\class-boldgrid-backup.php:543
filterboldgrid_backup_ftp_upload_post_archiveincludes\class-boldgrid-backup.php:545
actionboldgrid_backup_get_allincludes\class-boldgrid-backup.php:547
actionadmin_enqueue_scriptsincludes\class-boldgrid-backup.php:550
filtershutdownincludes\class-boldgrid-backup.php:551
actionadmin_noticesincludes\class-boldgrid-backup.php:553
actionboldgrid_backup_pre_dumpincludes\class-boldgrid-backup.php:555
actionboldgrid_backup_post_dumpincludes\class-boldgrid-backup.php:556
filterheartbeat_receivedincludes\class-boldgrid-backup.php:557
actioncustomize_controls_enqueue_scriptsincludes\class-boldgrid-backup.php:559
filterpre_update_option_boldgrid_backup_settingsincludes\class-boldgrid-backup.php:561
filteroption_boldgrid_backup_settingsincludes\class-boldgrid-backup.php:562
actionadmin_noticesincludes\class-boldgrid-backup.php:574
filtersite_option_boldgrid_backup_pending_rollbackincludes\class-boldgrid-backup.php:580
filterBoldgrid\Library\Update\isEnalbedincludes\class-boldgrid-backup.php:583
actionadmin_menuincludes\class-boldgrid-backup.php:587
filterBoldgrid\Library\Notifications\DashboardWidget\getFeaturePlugin\boldgrid-backupincludes\class-boldgrid-backup.php:591
actionadmin_initincludes\class-boldgrid-backup.php:594
actionwp_maybe_auto_updateincludes\class-boldgrid-backup.php:595
filterauto_update_pluginincludes\class-boldgrid-backup.php:596
filterauto_update_themeincludes\class-boldgrid-backup.php:597
actionupdate_option_auto_update_pluginsincludes\class-boldgrid-backup.php:598
actionupdate_option_auto_update_themesincludes\class-boldgrid-backup.php:599
actionadmin_enqueue_scriptsincludes\class-boldgrid-backup.php:602
actionadmin_noticesincludes\class-boldgrid-backup.php:605
actionrest_api_initincludes\class-boldgrid-backup.php:609
actionadmin_initincludes\class-boldgrid-backup.php:628
filterBoldgrid\Library\Usage\Notice\admin_noticesincludes\class-boldgrid-backup.php:629
filterBoldgrid\Library\Usage\Notice\maybeShowincludes\class-boldgrid-backup.php:630
filterBoldgrid\Library\Usage\getPrefixesincludes\class-boldgrid-backup.php:631
filteris_boldgrid_backup_pageincludes\class-boldgrid-backup.php:632
actionin_admin_headerincludes\class-boldgrid-backup.php:633
actionadmin_enqueue_scriptsincludes\class-boldgrid-backup.php:636
actionshutdownincludes\class-boldgrid-backup.php:638
actionadmin_enqueue_scriptsincludes\class-boldgrid-backup.php:641
filterBoldgrid\Library\Plugin\Notices\admin_enqueue_scriptsincludes\class-boldgrid-backup.php:655
actionadmin_enqueue_scriptsincludes\class-boldgrid-backup.php:657
actionadmin_footerincludes\class-boldgrid-backup.php:665
Maintenance & Trust

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 11, 2026
PHP min version5.4
Downloads2.2M

Community Trust

Rating96/100
Number of ratings436
Active installs60K
Alternatives

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid Alternatives

Backuply – Backup, Restore, Migrate and Clone

Backuply – Backup, Restore, Migrate and Clone

backuply

A
90

Backup, restores, and migration with Backuply are fairly simple with a wide range of storage options from Local Backups, FTP to cloud options like AWS &hellip;

600K 5 CVEs
BackWPup – WordPress Backup & Restore Plugin

BackWPup – WordPress Backup & Restore Plugin

backwpup

B
83

Create a complete WordPress backup easily. Schedule automatic backups, store securely, and restore effortlessly with the best WordPress backup plugin!

500K 10 CVEs
UpdraftPlus: WP Backup & Migration Plugin

UpdraftPlus: WP Backup & Migration Plugin

updraftplus

A
90

Backup, restore or migrate your WordPress website to another host or domain. Schedule backups or run manually. Migrate in minutes.

3.0M 14 CVEs
Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

duplicator

A
87

The best WordPress backup and migration plugin. Quickly and easily backup ,migrate, copy, move, or clone your site from one location to another.

1.0M 15 CVEs
WP Database Backup – Unlimited Database & Files Backup by Backup for WP

WP Database Backup – Unlimited Database & Files Backup by Backup for WP

wp-database-backup

A
87

Create & Restore Database Backup easily on single click. Manual or automated backups (backup to Dropbox, Google drive, Amazon s3,FTP,Email).

30K 13 CVEs
Developer Profile

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid Developer Profile

BoldGrid

15 plugins · 1.1M total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
841 days
View full developer profile
Detection Fingerprints

How We Detect Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/boldgrid-backup/admin/js/boldgrid-backup-admin-archive-actions.js
Script Paths
/wp-content/plugins/boldgrid-backup/vendor/autoload.php/wp-content/plugins/boldgrid-backup/rest/class-boldgrid-backup-rest-utility.php/wp-content/plugins/boldgrid-backup/admin/class-boldgrid-backup-admin-support.php/wp-content/plugins/boldgrid-backup/includes/class-boldgrid-backup.php/wp-content/plugins/boldgrid-backup/includes/class-boldgrid-backup-activator.php/wp-content/plugins/boldgrid-backup/includes/class-boldgrid-backup-deactivator.php+1 more
Version Parameters
boldgrid-backup/style.css?ver=boldgrid-backup-admin-archive-actions.js?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- File: class-boldgrid-backup-admin-archive-actions.php --><!-- File: boldgrid-backup.php --><!-- Fix added as of 1.14.10. --><!-- @todo This fix can be removed in the future. -->+22 more
Data Attributes
data-backup-restore-noncedata-backup-restore-dialog-titledata-backup-restore-dialog-text
JS Globals
BoldGridBackupAdminArchiveActions
FAQ

Frequently Asked Questions about Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid