Does CYAN Backup have any unpatched vulnerabilities?

No. All known vulnerabilities in CYAN Backup have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is CYAN Backup compatible with WordPress 6.8.5?

According to WordPress.org data, CYAN Backup 2.5.5 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is CYAN Backup updated?

CYAN Backup was last updated on Nov 4, 2025. Frequent updates are generally a positive security signal.

What is CYAN Backup's security score?

CYAN Backup has a WP-Safety security score of 95/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

CYAN Backup Security & Risk Analysis

wordpress.org/plugins/cyan-backup

Backup your entire WordPress site and its database into a zip file on a schedule. Remote storage options include FTP, SFTP and FTPS.

300 active installs v2.5.5 PHP + WP 2.9+ Updated Nov 4, 2025

backupftpschedulescpsftp

A · Safe

CVEs total4

Unpatched0

Last CVENov 7, 2025

Plugin page Download

Safety Verdict

Is CYAN Backup Safe to Use in 2026?

Generally Safe

Score 95/100

CYAN Backup has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Nov 7, 2025Updated 5mo ago

Risk Assessment

The "cyan-backup" plugin version 2.5.5 presents a mixed security posture. While the static analysis reveals a seemingly small attack surface with no directly exposed AJAX, REST API, or shortcode entry points without authentication, several concerning code signals warrant attention. The presence of dangerous functions like `create_function` and `unserialize` is a significant red flag, as these can be exploited for code execution or deserialization vulnerabilities if not handled with extreme care and proper input validation. Furthermore, a low percentage (27%) of properly escaped outputs indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the website. The large number of file operations (292) combined with a low output escaping rate increases the potential for insecure file handling as well.

The plugin's vulnerability history is also a major concern. With 4 known CVEs, all categorized as medium severity and related to Path Traversal and XSS, this indicates a pattern of past security weaknesses. While there are currently no unpatched CVEs, the recurring nature of these vulnerability types suggests that the development team may struggle with consistently implementing secure coding practices, particularly around input sanitization and output escaping. The last recorded vulnerability date (2025-11-07) is in the future, which might indicate a data anomaly or a placeholder, but it doesn't negate the historical trend.

In conclusion, despite the lack of immediately obvious unauthenticated entry points in the static analysis, the "cyan-backup" plugin has significant potential for vulnerabilities due to the use of dangerous functions, poor output escaping, and a history of XSS and Path Traversal issues. The high volume of file operations and the low rate of proper output escaping are particularly worrying. Users should exercise caution and ensure thorough security audits are performed on this plugin.

Key Concerns

Presence of dangerous functions (create_function, unserialize)
Low percentage of properly escaped outputs (27%)
High number of past medium severity CVEs (4)
Vulnerability types indicate insecure input/output handling
No capability checks on entry points
SQL queries not consistently using prepared statements (60%)

Vulnerabilities

CYAN Backup Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

3 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

4 total CVEs

CVE-2025-12092medium · 6.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CYAN Backup <= 2.5.4 - Authenticated (Admin+) Arbitrary File Deletion

Nov 7, 2025 Patched in 2.5.5 (1d)

CVE-2024-9662medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CYAN Backup <= 2.5.2 - Authenticated (Admin+) Stored Cross-Site Scripting

Mar 3, 2025 Patched in 2.5.3 (88d)

CVE-2024-9663medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CYAN Backup <= 2.5.2 - Authenticated (Admin+) Stored Cross-Site Scripting

Mar 3, 2025 Patched in 2.5.3 (88d)

CVE-2024-52390medium · 4.9Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CYAN Backup <= 2.5.3 - Authenticated (Admin+) Arbitrary File Download

Nov 11, 2024 Patched in 2.5.4 (11d)

Code Analysis

Analyzed Mar 16, 2026

CYAN Backup Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

32 escaped

Nonce Checks

Capability Checks

File Operations

292

External Requests

Bundled Libraries

Dangerous Functions Found

create_functionreturn create_function('$_action, &$self, $_text', $init_crypt . 'if ($_action == "encrypt") { ' . $includes\phpseclib\Crypt\Base.php:2481

unserializeextract(unserialize($partial));includes\phpseclib\Crypt\RSA.php:641

SQL Query Safety

60% prepared5 total queries

Output Escaping

27% escaped120 total outputs

Attack Surface

CYAN Backup Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 8

actioncyan_backup_hookcyan-backup.php:28

actionnetwork_admin_menucyan-backup.php:73

actionadmin_menucyan-backup.php:76

filterplugin_action_linkscyan-backup.php:77

actioninitcyan-backup.php:79

filterquery_varsincludes\class-addrewriterules.php:13

actiongenerate_rewrite_rulesincludes\class-addrewriterules.php:14

actionwpincludes\class-addrewriterules.php:18

Scheduled Events 2

cyan_backup_hook

Maintenance & Trust

CYAN Backup Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedNov 4, 2025

PHP min version

Downloads36K

Community Trust

Rating82/100

Number of ratings11

Active installs300

Alternatives

CYAN Backup Alternatives

SSH SFTP Updater Support

ssh-sftp-updater-support

100

"SSH SFTP Updater Support" is the easiest way to keep your WordPress installation up-to-date with SFTP.

10K No CVEs

Exclude Image Thumbnails From UpdraftPlus Backups

de-updraftplus-backup-exclude-image-thumbnails

An UpdraftPlus extension that excludes image size thumbnails, generated by WordPress, from Updraft backups.

4K No CVEs

Automatic WordPress Backup

automatic-wordpress-backup

Automatically back up important bits of your WordPress install to Amazon S3.

300 No CVEs

DBC Backup 2

dbc-backup-2

DBC Backup 2 is a safe & simple way to schedule regular WordPress database backups using the wp-cron batch jobs.

100 No CVEs

XM-Backup

xm-backup

Does a backup of your Wordpress database and, or your files in wp-content/uploads and saves it in a safe location.

60 1 unpatched

Developer Profile

CYAN Backup Developer Profile

Greg Ross

34 plugins · 8K total installs

trust score

Avg Security Score

88/100

Avg Patch Time

39 days

View full developer profile

Detection Fingerprints

How We Detect CYAN Backup

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/cyan-backup/css/cyan-backup.css/wp-content/plugins/cyan-backup/js/cyan-backup.js/wp-content/plugins/cyan-backup/js/cyan-backup-admin.js

Script Paths

/wp-content/plugins/cyan-backup/js/cyan-backup.js/wp-content/plugins/cyan-backup/js/cyan-backup-admin.js

Version Parameters

cyan-backup/css/cyan-backup.css?ver=cyan-backup/js/cyan-backup.js?ver=cyan-backup/js/cyan-backup-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

cyan-backup-wrapcyan-backup-page-title

HTML Comments

+6 more

JS Globals

CYAN_BACKUP_AJAX_URLCYAN_BACKUP_NONCE

REST Endpoints

/wp-json/cyan-backup/v1/settings/wp-json/cyan-backup/v1/schedule/wp-json/cyan-backup/v1/backup/wp-json/cyan-backup/v1/restore/wp-json/cyan-backup/v1/log

FAQ