WP-Safety

Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely Security & Risk Analysis

wordpress.org/plugins/royal-backup-reset

WordPress backup plugin to create full website backups and restore them easily. Built in migration to easily migrate your website, smart pre-update ba …

10K active installs v1.0.24 PHP 7.4+ WP 5.0+ Updated Apr 3, 2026
backup-plugindatabase-backupmigraterestorewordpress-backup
99
A · Safe
CVEs total1
Unpatched0
Last CVEApr 9, 2026
Plugin page Download
Safety Verdict

Is Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely Safe to Use in 2026?

Generally Safe

Score 99/100

Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Apr 9, 2026Updated 1mo ago
Risk Assessment

The "royal-backup-reset" plugin, version 1.0.18, exhibits a generally positive security posture with several strong practices. Notably, all identified entry points, including 43 AJAX handlers, are protected with authentication checks. The extensive use of prepared statements for SQL queries (72%) and proper output escaping (84%) further mitigates common web vulnerabilities. The absence of known CVEs and historical vulnerabilities suggests a commitment to security or a lack of past exploitation, which is a positive indicator.

However, several areas warrant attention. The presence of dangerous functions like `unserialize`, `popen`, and `proc_open` introduces potential risks if not handled with extreme care, especially in conjunction with user-supplied input. While taint analysis shows no critical or high-severity flows with unsanitized paths, there is one identified flow with an unsanitized path, which, although not rated critically, still represents a potential avenue for exploitation. The plugin also bundles the Freemius library, which, if outdated, could introduce its own vulnerabilities.

In conclusion, "royal-backup-reset" v1.0.18 has a solid foundation of security controls in place, particularly concerning input validation and authentication. The primary risks stem from the use of potentially dangerous functions and the single unsanitized path identified in the taint analysis. Vigilance regarding the Freemius library and diligent secure coding practices around the mentioned dangerous functions are recommended to maintain its security.

Key Concerns

  • Presence of dangerous functions (unserialize, popen, proc_open)
  • Flows with unsanitized paths identified
  • Bundled Freemius library (potential for outdated version)
Vulnerabilities
1 published

Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely Security Vulnerabilities

CVEs by Year

1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-4305medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Royal WordPress Backup & Restore Plugin <= 1.0.16 - Reflected Cross-Site Scripting via 'wpr_pending_template' Parameter

Apr 9, 2026 Patched in 1.0.17 (1d)
Version History

Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely Release Timeline

v1.0.24Current
v1.0.23
v1.0.22
v1.0.21
v1.0.20
v1.0.19
v1.0.18
v1.0.17
v1.0.161 CVE
CVE-2026-4305
v1.0.151 CVE
CVE-2026-4305
v1.0.141 CVE
CVE-2026-4305
v1.0.131 CVE
CVE-2026-4305
v1.0.121 CVE
CVE-2026-4305
v1.0.111 CVE
CVE-2026-4305
v1.0.101 CVE
CVE-2026-4305
v1.0.91 CVE
CVE-2026-4305
v1.0.81 CVE
CVE-2026-4305
v1.0.71 CVE
CVE-2026-4305
v1.0.61 CVE
CVE-2026-4305
v1.0.51 CVE
CVE-2026-4305
Code Analysis
Analyzed Mar 16, 2026

Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely Code Analysis

Dangerous Functions
7
Raw SQL Queries
28
72 prepared
Unescaped Output
27
144 escaped
Nonce Checks
43
Capability Checks
51
File Operations
78
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

unserialize$var = unserialize( file_get_contents( $cache_file_base . '-info.tmp' ) );includes\class-royalbr-backup.php:2143
unserializereturn unserialize( $var );includes\class-royalbr-backup.php:2219
popen$handle = ( function_exists( 'popen' ) && function_exists( 'pclose' ) ) ? popen( $exec, 'r' ) : falsincludes\class-royalbr-backup.php:2932
proc_open$handle = proc_open( $exec2, $descriptorspec, $pipes, $this->royalbr_dir );includes\class-royalbr-backup.php:2963
proc_open$process = function_exists( 'proc_open' ) ? proc_open( $exec, $descriptorspec, $pipes, $rdirname ) :includes\class-royalbr-binzip.php:211
unserialize$plugins_array = @unserialize( $plugins ); // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discourageincludes\class-royalbr-restore.php:2279
unserialize$plugins_array = @unserialize( $plugins ); // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discourageincludes\class-royalbr-restore.php:2323

Bundled Libraries

Freemius1.0

SQL Query Safety

72% prepared100 total queries

Output Escaping

84% escaped171 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

15 flows1 with unsanitized paths
prepare_ajax_restore (royal-backup-reset.php:3811)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely Attack Surface

Entry Points43
Unprotected0

AJAX Handlers 43

authwp_ajax_royalbr_backup_reminder_banner_dismissincludes\rating\class-royalbr-backup-reminder-banner.php:36
authwp_ajax_royalbr_backup_reminder_banner_laterincludes\rating\class-royalbr-backup-reminder-banner.php:37
authwp_ajax_royalbr_rating_dismissincludes\rating\class-royalbr-rating-notice.php:38
authwp_ajax_royalbr_rating_maybe_laterincludes\rating\class-royalbr-rating-notice.php:39
authwp_ajax_royalbr_rating_already_ratedincludes\rating\class-royalbr-rating-notice.php:40
authwp_ajax_royalbr_get_backup_nonceroyal-backup-reset.php:391
authwp_ajax_royalbr_create_backuproyal-backup-reset.php:392
authwp_ajax_royalbr_restore_backuproyal-backup-reset.php:393
authwp_ajax_royalbr_delete_backuproyal-backup-reset.php:394
authwp_ajax_royalbr_download_componentroyal-backup-reset.php:395
authwp_ajax_royalbr_reset_databaseroyal-backup-reset.php:396
authwp_ajax_royalbr_before_resetroyal-backup-reset.php:397
authwp_ajax_royalbr_get_settingsroyal-backup-reset.php:398
authwp_ajax_royalbr_save_settingsroyal-backup-reset.php:399
authwp_ajax_royalbr_get_backup_progressroyal-backup-reset.php:400
authwp_ajax_royalbr_get_logroyal-backup-reset.php:401
authwp_ajax_royalbr_stop_backuproyal-backup-reset.php:402
authwp_ajax_royalbr_ajax_restoreroyal-backup-reset.php:403
authwp_ajax_royalbr_ajaxrestore_continueroyal-backup-reset.php:404
authwp_ajax_royalbr_get_restore_logroyal-backup-reset.php:405
authwp_ajax_royalbr_get_backup_listroyal-backup-reset.php:406
authwp_ajax_royalbr_get_backup_list_for_popuproyal-backup-reset.php:407
authwp_ajax_royalbr_get_backup_modal_htmlroyal-backup-reset.php:408
authwp_ajax_royalbr_get_backup_progress_modal_htmlroyal-backup-reset.php:409
authwp_ajax_royalbr_get_log_viewer_modal_htmlroyal-backup-reset.php:410
authwp_ajax_royalbr_get_confirmation_modal_htmlroyal-backup-reset.php:411
authwp_ajax_royalbr_get_progress_modal_htmlroyal-backup-reset.php:412
authwp_ajax_royalbr_get_component_selection_modal_htmlroyal-backup-reset.php:413
authwp_ajax_royalbr_get_reset_progress_modal_htmlroyal-backup-reset.php:414
authwp_ajax_royalbr_get_pro_modal_htmlroyal-backup-reset.php:415
authwp_ajax_royalbr_download_logroyal-backup-reset.php:416
authwp_ajax_royalbr_download_restore_logroyal-backup-reset.php:417
authwp_ajax_royalbr_test_scheduled_filesroyal-backup-reset.php:418
authwp_ajax_royalbr_test_scheduled_databaseroyal-backup-reset.php:419
authwp_ajax_royalbr_dismiss_backup_reminderroyal-backup-reset.php:420
authwp_ajax_royalbr_clear_pending_template_editroyal-backup-reset.php:421
authwp_ajax_royalbr_gdrive_get_auth_urlroyal-backup-reset.php:422
authwp_ajax_royalbr_gdrive_disconnectroyal-backup-reset.php:423
authwp_ajax_royalbr_dropbox_get_auth_urlroyal-backup-reset.php:424
authwp_ajax_royalbr_dropbox_disconnectroyal-backup-reset.php:425
authwp_ajax_royalbr_dropbox_verifyroyal-backup-reset.php:426
authwp_ajax_royalbr_s3_test_connectionroyal-backup-reset.php:427
authwp_ajax_royalbr_s3_disconnectroyal-backup-reset.php:428
WordPress Hooks 31
actionadmin_initincludes\class-royalbr-tour.php:226
actionadmin_initincludes\premium-plugin-activation.php:16
actionadmin_noticesincludes\premium-plugin-activation.php:41
actionadmin_initincludes\rating\class-royalbr-backup-reminder-banner.php:32
actionadmin_enqueue_scriptsincludes\rating\class-royalbr-backup-reminder-banner.php:33
actionadmin_noticesincludes\rating\class-royalbr-backup-reminder-banner.php:104
actionadmin_noticesincludes\rating\class-royalbr-backup-reminder-banner.php:106
actionadmin_initincludes\rating\class-royalbr-rating-notice.php:33
actionadmin_enqueue_scriptsincludes\rating\class-royalbr-rating-notice.php:34
actionroyalbr_restore_completedincludes\rating\class-royalbr-rating-notice.php:35
actionadmin_noticesincludes\rating\class-royalbr-rating-notice.php:86
actionadmin_noticesincludes\rating\class-royalbr-rating-notice.php:88
filterfs_redirect_on_activation_royal-backup-resetroyal-backup-reset.php:29
actionbefore_admin_menu_initroyal-backup-reset.php:96
actionafter_uninstallroyal-backup-reset.php:104
actioninitroyal-backup-reset.php:387
actionadmin_initroyal-backup-reset.php:388
actionadmin_menuroyal-backup-reset.php:389
actionadmin_enqueue_scriptsroyal-backup-reset.php:390
actionroyalbr_backup_resumeroyal-backup-reset.php:431
actionadmin_noticesroyal-backup-reset.php:433
actionadmin_noticesroyal-backup-reset.php:434
actionadmin_noticesroyal-backup-reset.php:438
actionadmin_headroyal-backup-reset.php:443
actionadmin_bar_menuroyal-backup-reset.php:446
actionadmin_enqueue_scriptsroyal-backup-reset.php:447
actionwp_enqueue_scriptsroyal-backup-reset.php:448
filterplugin_row_metaroyal-backup-reset.php:450
actionadmin_initroyal-backup-reset.php:456
filterroyalbr_exclude_directoryroyal-backup-reset.php:524
filterroyalbr_loglineroyal-backup-reset.php:3700

Scheduled Events 4

royalbr_backup_resume
royalbr_backup_resume
royalbr_backup_resume
royalbr_backup_resume
Maintenance & Trust

Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 3, 2026
PHP min version7.4
Downloads78K

Community Trust

Rating100/100
Number of ratings2
Active installs10K
Alternatives

Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely Alternatives

Backuply – Backup, Restore, Migrate and Clone

Backuply – Backup, Restore, Migrate and Clone

backuply

A
90

Backup, restores, and migration with Backuply are fairly simple with a wide range of storage options from Local Backups, FTP to cloud options like AWS &hellip;

700K 5 CVEs
BackWPup – WordPress Backup & Restore Plugin

BackWPup – WordPress Backup & Restore Plugin

backwpup

B
83

Create a complete WordPress backup easily. Schedule automatic backups, store securely, and restore effortlessly with the best WordPress backup plugin!

500K 11 CVEs
Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid

boldgrid-backup

A
89

Automated backups, remote backup to Amazon S3 and Google Drive, stop website crashes before they happen and more. Total Upkeep is the backup solution &hellip;

50K 7 CVEs
Backup Database

Backup Database

fny-database-backup

A
85

Backup Database Plugin includes backup into Dropbox, Google Drive, Amazon, FTP, etc. You can simply backup and migrate your website wherever you need &hellip;

60 No CVEs
UpdraftPlus: WP Backup & Migration Plugin

UpdraftPlus: WP Backup & Migration Plugin

updraftplus

A
90

Backup, restore or migrate your WordPress website to another host or domain. Schedule backups or run manually. Migrate in minutes.

3.0M 14 CVEs
Developer Profile

Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely Developer Profile

WP Royal

9 plugins · 767K total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
94 days
View full developer profile
Detection Fingerprints

How We Detect Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/royal-backup-reset/assets/css/backend.css/wp-content/plugins/royal-backup-reset/assets/css/frontend.css/wp-content/plugins/royal-backup-reset/assets/js/backend.js/wp-content/plugins/royal-backup-reset/assets/js/frontend.js
Script Paths
/wp-content/plugins/royal-backup-reset/assets/js/backend.js/wp-content/plugins/royal-backup-reset/assets/js/frontend.js
Version Parameters
royal-backup-reset/assets/css/backend.css?ver=royal-backup-reset/assets/css/frontend.css?ver=royal-backup-reset/assets/js/backend.js?ver=royal-backup-reset/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
royalbr-backup-history-rowroyalbr-backup-history-action-buttonsroyalbr-upgrade-menuroyalbr-settings-sectionroyalbr-settings-field
HTML Comments
<!-- Royal Backup & Restore & Reset --><!-- Royal Backup & Restore & Reset Premium -->
Data Attributes
data-royalbr-actiondata-royalbr-backup-iddata-royalbr-noncedata-royalbr-restore-noncedata-royalbr-delete-nonce
JS Globals
royalbr_backup_script_varsroyalbr_frontend_script_vars
REST Endpoints
/wp-json/royal-backup-reset/v1/backup/wp-json/royal-backup-reset/v1/restore/wp-json/royal-backup-reset/v1/settings
FAQ

Frequently Asked Questions about Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely