WP-Safety

Backup WordPress with Nifty Backups Security & Risk Analysis

wordpress.org/plugins/nifty-backups

Fully functional free backup plugin for WordPress. Backup and restore your database tables and WordPress files quickly, easily and reliably.

60 active installs v1.08 PHP + WP 3.8+ Updated Nov 25, 2016
backupbackup-pluginbackupswordpress-backup-plugin
63
C · Use Caution
CVEs total1
Unpatched1
Last CVEAug 29, 2025
Plugin page Download
Safety Verdict

Is Backup WordPress with Nifty Backups Safe to Use in 2026?

Use With Caution

Score 63/100

Backup WordPress with Nifty Backups has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Aug 29, 2025Updated 9yr ago
Risk Assessment

The Nifty Backups plugin version 1.08 presents a mixed security posture. While it shows some good practices like a single non-critical vulnerability and a limited number of external HTTP requests, several areas raise significant concerns. The static analysis reveals a concerning lack of input validation and authorization checks, particularly with its REST API route and AJAX handlers. The fact that 12 entry points exist, with one being unprotected, is a direct security risk. Furthermore, the low percentage of properly escaped output (16%) indicates a high likelihood of Cross-Site Scripting (XSS) vulnerabilities, which is consistent with its past vulnerability history.

The vulnerability history is a major red flag. A single unpatched medium-severity CVE, identified as Cross-Site Scripting, highlights a persistent weakness in how the plugin handles user input. The timing of this last vulnerability (2025-08-29) suggests it's a recent issue that remains unaddressed. The taint analysis also reveals that all analyzed flows involve unsanitized paths, further reinforcing the concern about improper input handling, even though no critical or high severity issues were flagged here. The high number of file operations (35) combined with poor output escaping and a known XSS history suggests a real possibility of malicious code injection or data leakage.

In conclusion, while Nifty Backups v1.08 avoids dangerous functions and has a decent rate of prepared statements for SQL, its security is significantly undermined by a substantial attack surface with unprotected entry points and a severe deficiency in output escaping. The unpatched XSS vulnerability is a critical issue that needs immediate attention. Users should exercise extreme caution until these issues are rectified.

Key Concerns

  • Unpatched CVE (medium severity)
  • REST API route without permission callbacks
  • Low percentage of properly escaped output
  • All taint flows with unsanitized paths
  • Lack of capability checks
Vulnerabilities
1 published

Backup WordPress with Nifty Backups Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-52763medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Nifty Backups <= 1.08 - Reflected Cross-Site Scripting

Aug 29, 2025Unpatched
Version History

Backup WordPress with Nifty Backups Release Timeline

v1.071 CVE
CVE-2025-52763
v1.061 CVE
CVE-2025-52763
v1.051 CVE
CVE-2025-52763
v1.041 CVE
CVE-2025-52763
v1.031 CVE
CVE-2025-52763
Code Analysis
Analyzed Mar 16, 2026

Backup WordPress with Nifty Backups Code Analysis

Dangerous Functions
0
Raw SQL Queries
9
7 prepared
Unescaped Output
116
22 escaped
Nonce Checks
1
Capability Checks
0
File Operations
35
External Requests
1
Bundled Libraries
0

SQL Query Safety

44% prepared16 total queries

Output Escaping

16% escaped138 total outputs
Data Flows · Security
4 unsanitized

Data Flow Analysis

4 flows4 with unsanitized paths
backup_dashboard (nifty-backups.php:1375)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Backup WordPress with Nifty Backups Attack Surface

Entry Points12
Unprotected1

AJAX Handlers 11

authwp_ajax_nifty_backupnifty-backups.php:111
authwp_ajax_nifty_backup_startnifty-backups.php:112
authwp_ajax_nifty_backup_infonifty-backups.php:113
authwp_ajax_nifty_restorenifty-backups.php:114
authwp_ajax_nifty_restore_filenifty-backups.php:115
authwp_ajax_nifty_cancel_backupnifty-backups.php:116
authwp_ajax_nifty_restore_externalnifty-backups.php:117
authwp_ajax_nifty_delete_filenifty-backups.php:119
authwp_ajax_nifty_cloud_uploadnifty-backups.php:120
authwp_ajax_view_changenifty-backups.php:121
authwp_ajax_nifty-save-settingsnifty-backups.php:122

REST API Routes 1

GETPOST/wp-json/nifty_backups/v1/ping_backupincludes\REST_api.php:10
WordPress Hooks 41
filternifty_backup_email_wrapperincludes\module_emails.php:3
filternifty_backups_filter_settings_paramter_interceptincludes\module_notifications.php:3
actionnifty_backups_general_settings_output_hookincludes\module_notifications.php:14
filternifty_backup_filter_button_handlingincludes\module_offsite.php:5
filternifty_backup_filter_main_menu_settingsincludes\module_offsite.php:17
actionnifty_backups_hook_dash_list_buttonsincludes\module_offsite.php:25
actionnifty_backup_action_view_changeincludes\module_offsite.php:33
filternifty_backups_filter_offsite_selectionincludes\module_offsite_email.php:6
actionnifty_backups_send_to_cloud_hookincludes\module_offsite_email.php:36
filternifty_backups_filter_offsite_selectionincludes\module_offsite_email.php:91
actionnifty_backups_filter_save_settingsincludes\module_offsite_email.php:123
actionrest_api_initincludes\REST_api.php:8
actionnifty_backups_general_settings_output_hookincludes\REST_api.php:19
actionadmin_menunifty-backups.php:109
actionnifty_backup_db_settingsnifty-backups.php:124
actionnifty_backup_support_pagenifty-backups.php:125
actionnifty_backup_schedule_settingsnifty-backups.php:126
actionnifty_backup_general_settingsnifty-backups.php:127
actionnifty_backup_file_settingsnifty-backups.php:128
actionnifty_backups_db_settings_output_hooknifty-backups.php:131
actionnifty_backups_file_settings_output_hooknifty-backups.php:132
actionnifty_backups_schedule_settings_output_hooknifty-backups.php:133
actionnifty_bu_build_buttonnifty-backups.php:138
actionnifty_cron_hooknifty-backups.php:142
filtercron_schedulesnifty-backups.php:144
filternifty_backup_filter_main_menunifty-backups.php:146
filternifty_backup_filter_main_menunifty-backups.php:147
filternifty_backup_filter_main_menunifty-backups.php:148
filternifty_backup_filter_main_menunifty-backups.php:149
filternifty_backup_filter_button_handlingnifty-backups.php:151
filternifty_backup_filter_skip_dbnifty-backups.php:153
filternifty_backup_filter_skip_filesnifty-backups.php:154
actioninitnifty-backups.php:157
actionnifty_backup_action_footernifty-backups.php:159
actionactivated_pluginnifty-backups.php:161
filternifty_backups_filter_save_settingsnifty-backups.php:163
filternifty_bu_filter_include_filenifty-backups.php:164
actionadmin_headnifty-backups.php:166
actionadmin_print_scriptsnifty-backups.php:526
actionadmin_print_stylesnifty-backups.php:527
filterwp_mail_content_typenifty-backups.php:874

Scheduled Events 1

nifty_cron_hook
Maintenance & Trust

Backup WordPress with Nifty Backups Maintenance & Trust

Maintenance Signals

WordPress version tested4.7.33
Last updatedNov 25, 2016
PHP min version
Downloads6K

Community Trust

Rating100/100
Number of ratings12
Active installs60
Alternatives

Backup WordPress with Nifty Backups Alternatives

MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

mainwp-child

A
91

MainWP Child establishes a secure link between your WordPress sites and your self-hosted MainWP Dashboard, simplifying site management.

700K 7 CVEs
BackupBliss – Backup & Migration with Free Cloud Storage

BackupBliss – Backup & Migration with Free Cloud Storage

backup-backup

B
76

Backup, migrate, and create staging sites with free cloud storage and support.

90K 14 CVEs
BackUpWordPress

BackUpWordPress

backupwordpress

B
83

Simple automated backups of your WordPress-powered website.

90K 3 CVEs
WP Umbrella: Update Backup Restore & Monitoring

WP Umbrella: Update Backup Restore & Monitoring

wp-health

A
97

Everything you need to sell WordPress maintenance and manage multiple sites effortlessly: backup, update, uptime monitoring, and security.

60K 1 CVE
Modular DS: Monitor, update, and backup multiple websites

Modular DS: Monitor, update, and backup multiple websites

modular-connector

A
87

Manage all your WordPress sites from one place. Automate updates, backups, uptime monitoring, security, maintenance reports, and more.

40K 3 CVEs
Developer Profile

Backup WordPress with Nifty Backups Developer Profile

NickDuncan

5 plugins · 490 total installs

81
trust score
Avg Security Score
81/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Backup WordPress with Nifty Backups

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/nifty-backups/css/nifty-backups-styles.css/wp-content/plugins/nifty-backups/js/nifty-backups.js/wp-content/plugins/nifty-backups/js/nifty-backups-backup.js/wp-content/plugins/nifty-backups/js/nifty-backups-restore.js/wp-content/plugins/nifty-backups/js/nifty-backups-general-settings.js/wp-content/plugins/nifty-backups/js/nifty-backups-file-settings.js/wp-content/plugins/nifty-backups/js/nifty-backups-schedule-settings.js/wp-content/plugins/nifty-backups/js/nifty-backups-support-page.js
Script Paths
/wp-content/plugins/nifty-backups/js/nifty-backups.js/wp-content/plugins/nifty-backups/js/nifty-backups-backup.js/wp-content/plugins/nifty-backups/js/nifty-backups-restore.js/wp-content/plugins/nifty-backups/js/nifty-backups-general-settings.js/wp-content/plugins/nifty-backups/js/nifty-backups-file-settings.js/wp-content/plugins/nifty-backups/js/nifty-backups-schedule-settings.js+1 more
Version Parameters
nifty-backups/css/nifty-backups-styles.css?ver=nifty-backups/js/nifty-backups.js?ver=

HTML / DOM Fingerprints

CSS Classes
nifty-backup-wrapnifty-backup-buttonnifty-backup-action-wrapnifty-backup-controlsnifty-backup-progressnifty-backup-messagenifty-backup-rownifty-backup-column+3 more
HTML Comments
<!-- NIFTY BACKUPS START FOOTER --><!-- NIFTY BACKUPS END FOOTER --><!-- NIFTY BACKUPS CONTENT -->
Data Attributes
data-actiondata-nonce
JS Globals
nifty_bu_upload_dirnifty_bu_upload_urlnifty_backups_ajax_url
REST Endpoints
/wp-json/nifty-backups/v1/backup/wp-json/nifty-backups/v1/restore/wp-json/nifty-backups/v1/settings
FAQ

Frequently Asked Questions about Backup WordPress with Nifty Backups