Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups Security & Risk Analysis

wordpress.org/plugins/trinity-backup

Backup, migrate, clone, and restore WordPress sites of any size. Scheduled, pre-update backups, email notifications, WP-CLI, white label, encryption.

2K active installs v2.0.9 PHP 8.0+ WP 6.2+ Updated Mar 9, 2026
backupcloneduplicatemigrationrestore
99
A · Safe
CVEs total1
Unpatched0
Last CVEJun 18, 2026
Download
Safety Verdict

Is Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups Safe to Use in 2026?

Generally Safe

Score 99/100

Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Jun 18, 2026Updated 4mo ago
Risk Assessment

The "trinity-backup" v2.0.9 plugin presents a significant security risk primarily due to its large, unprotected attack surface. All 19 identified AJAX handlers lack authentication checks, making them directly accessible to unauthenticated users. This is a critical oversight that could lead to various vulnerabilities depending on the functionality of these handlers.

While the plugin demonstrates some good practices like using prepared statements for most SQL queries and a considerable number of output escaping instances, the lack of authorization on its entry points negates these benefits. The presence of `unserialize` is a potential concern, especially if user-controlled data is ever passed to it without proper sanitization, although the taint analysis did not reveal critical or high severity issues in this version. The absence of known CVEs and a clean vulnerability history is positive, suggesting past development might have been more secure or that this specific version hasn't been targeted. However, the current state of unprotected AJAX handlers demands immediate attention.

Key Concerns

  • 19 unprotected AJAX handlers
  • Use of unserialize function
  • Output escaping only 57% proper
Vulnerabilities
1 published

Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups Security Vulnerabilities

CVEs by Year

1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-54839medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups <= 2.0.9 - Unauthenticated Information Exposure

Jun 18, 2026 Patched in 2.0.10 (8d)
Version History

Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups Release Timeline

v2.0.9Current1 CVE
v2.0.81 CVE
v2.0.71 CVE
v2.0.61 CVE
v2.0.51 CVE
v2.0.41 CVE
v2.0.31 CVE
Code Analysis
Analyzed Mar 16, 2026

Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups Code Analysis

Dangerous Functions
1
Raw SQL Queries
1
11 prepared
Unescaped Output
31
41 escaped
Nonce Checks
1
Capability Checks
1
File Operations
54
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$plugins = @unserialize($activePlugins);src\Engine\Steps\ImportDatabase.php:778

Bundled Libraries

Freemius1.0

SQL Query Safety

92% prepared12 total queries

Output Escaping

57% escaped72 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths
handleUploadChunk (src\Core\Router.php:280)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
19 unprotected

Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups Attack Surface

Entry Points19
Unprotected19

AJAX Handlers 19

authwp_ajax_trinity_backup_startsrc\Core\Router.php:32
authwp_ajax_trinity_backup_runsrc\Core\Router.php:33
authwp_ajax_trinity_backup_uploadsrc\Core\Router.php:36
authwp_ajax_trinity_backup_upload_chunksrc\Core\Router.php:37
authwp_ajax_trinity_backup_check_archivesrc\Core\Router.php:38
authwp_ajax_trinity_backup_import_startsrc\Core\Router.php:39
authwp_ajax_trinity_backup_import_runsrc\Core\Router.php:40
authwp_ajax_trinity_backup_list_backupssrc\Core\Router.php:43
authwp_ajax_trinity_backup_deletesrc\Core\Router.php:44
authwp_ajax_trinity_backup_delete_allsrc\Core\Router.php:45
authwp_ajax_trinity_backup_cleanupsrc\Core\Router.php:46
authwp_ajax_trinity_backup_checksrc\Core\Router.php:49
authwp_ajax_trinity_backup_schedulesrc\Core\Router.php:52
authwp_ajax_trinity_backup_get_settingssrc\Core\Router.php:53
authwp_ajax_trinity_backup_preupdate_savesrc\Core\Router.php:54
authwp_ajax_trinity_backup_email_savesrc\Core\Router.php:55
authwp_ajax_trinity_backup_email_testsrc\Core\Router.php:56
authwp_ajax_trinity_backup_whitelabel_savesrc\Core\Router.php:57
authwp_ajax_trinity_backup_save_themesrc\Core\Router.php:60
WordPress Hooks 5
actionadmin_menusrc\Core\Plugin.php:93
actionadmin_enqueue_scriptssrc\Core\Plugin.php:94
actionwp_mail_failedsrc\Core\Router.php:94
filtershow_deactivation_subscription_cancellationtrinity-backup.php:60
filterdeactivate_on_activationtrinity-backup.php:61
Maintenance & Trust

Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 9, 2026
PHP min version8.0
Downloads2K

Community Trust

Rating100/100
Number of ratings1
Active installs2K
Developer Profile

Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups Developer Profile

KingAddons.com

5 plugins · 17K total installs

80
trust score
Avg Security Score
89/100
Avg Patch Time
58 days
View full developer profile
Detection Fingerprints

How We Detect Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/trinity-backup/assets/css/styles.css/wp-content/plugins/trinity-backup/assets/js/trinity-backup-admin.js/wp-content/plugins/trinity-backup/vendor/freemius/assets/css/base.css/wp-content/plugins/trinity-backup/vendor/freemius/assets/js/base.js
Script Paths
/wp-content/plugins/trinity-backup/assets/js/trinity-backup-admin.js/wp-content/plugins/trinity-backup/vendor/freemius/assets/js/base.js
Version Parameters
trinity-backup/assets/css/styles.css?ver=trinity-backup/assets/js/trinity-backup-admin.js?ver=trinity-backup/vendor/freemius/assets/css/base.css?ver=trinity-backup/vendor/freemius/assets/js/base.js?ver=

HTML / DOM Fingerprints

Data Attributes
data-trinity-backup-ajax-url
JS Globals
trinityBackupAjaxUrltrinityBackupNonce
REST Endpoints
/wp-json/trinity-backup/v1/backup/schedule/wp-json/trinity-backup/v1/backup/create/wp-json/trinity-backup/v1/backup/import/wp-json/trinity-backup/v1/backup/download/wp-json/trinity-backup/v1/backup/delete/wp-json/trinity-backup/v1/backup/cancel/wp-json/trinity-backup/v1/setting/save
FAQ

Frequently Asked Questions about Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups