WP-Safety

WP Database Backup – Unlimited Database & Files Backup by Backup for WP Security & Risk Analysis

wordpress.org/plugins/wp-database-backup

Create & Restore Database Backup easily on single click. Manual or automated backups (backup to Dropbox, Google drive, Amazon s3,FTP,Email).

30K active installs v7.9 PHP 5.6.20+ WP 3.1+ Updated Jan 22, 2026
backupcloud-backupdatabase-backupfiles-backupwordpress-backup
87
A · Safe
CVEs total13
Unpatched0
Last CVEJan 8, 2025
Plugin page Download
Safety Verdict

Is WP Database Backup – Unlimited Database & Files Backup by Backup for WP Safe to Use in 2026?

Generally Safe

Score 87/100

WP Database Backup – Unlimited Database & Files Backup by Backup for WP has a strong security track record. Known vulnerabilities have been patched promptly.

13 known CVEsLast CVE: Jan 8, 2025Updated 2mo ago
Risk Assessment

The 'wp-database-backup' plugin v7.9 exhibits a mixed security posture. While it demonstrates good practices in utilizing prepared statements for SQL queries and a high percentage of proper output escaping, significant concerns remain regarding its attack surface and historical vulnerability patterns. The presence of unprotected AJAX handlers and REST API routes presents immediate risks of unauthorized actions. Furthermore, the plugin's history of 13 CVEs, including critical vulnerabilities like OS Command Injection and exposure of sensitive information, suggests recurring systemic security weaknesses that require diligent attention and patching.

Despite the absence of currently unpatched CVEs and a clean taint analysis with no unsanitized paths, the historical prevalence of severe vulnerabilities coupled with the static analysis findings of unprotected entry points indicates a plugin that has historically been a target and may still harbor latent risks. The use of dangerous functions like 'shell_exec' and 'unserialize' also warrants careful scrutiny, especially in conjunction with input handling that hasn't always been perfectly secured, as evidenced by past XSS and CSRF vulnerabilities.

In conclusion, 'wp-database-backup' v7.9 has some strong security foundations, particularly in data handling and output sanitization. However, the unprotected entry points and a history riddled with critical vulnerabilities demand a cautious approach. Users should be aware that while current unpatched vulnerabilities are zero, the plugin's track record and exposed entry points create a fertile ground for potential future exploits. Continuous monitoring and prompt updates are paramount.

Key Concerns

  • 2 AJAX handlers without auth checks
  • 2 REST API routes without permission callbacks
  • History of 2 critical CVEs
  • History of 5 high CVEs
  • History of 6 medium CVEs
  • Use of dangerous function: shell_exec
  • Use of dangerous function: unserialize
  • Only 67% of outputs properly escaped
Vulnerabilities
13

WP Database Backup – Unlimited Database & Files Backup by Backup for WP Security Vulnerabilities

CVEs by Year

1 CVE in 2015
2015
5 CVEs in 2016
2016
3 CVEs in 2019
2019
1 CVE in 2020
2020
2 CVEs in 2022
2022
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
2
High
5
Medium
6

13 total CVEs

CVE-2024-12330high · 7.5Exposure of Backup File to an Unauthorized Control Sphere

WP Database Backup – Unlimited Database & Files Backup by Backup for WP <= 7.3 - Unauthenticated Database Back-Up Exposure

Jan 8, 2025 Patched in 7.4 (1d)
CVE-2022-2271medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Database Backup <= 5.8.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Aug 16, 2022 Patched in 5.9 (525d)
WF-31496229-bf54-466c-a87b-cc32e65500a4-wp-database-backupmedium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Database Backup <= 5.9 - Authenticated (Admin+) Stored Cross-Site Scripting

Aug 9, 2022 Patched in 5.9 (532d)
CVE-2020-7241high · 7.5Exposure of Sensitive Information to an Unauthorized Actor

WP Database Backup <= 5.5 - Unauthenticated Information Disclosure

Feb 6, 2020 Patched in 5.5.1 (1447d)
CVE-2019-25224critical · 9.8Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

WP Database Backup < 5.2 - Unauthenticated OS Command Injection

Apr 24, 2019 Patched in 5.2 (2284d)
CVE-2019-14949medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Database Backup <= 5.1.1 - Cross-Site Scripting

Apr 22, 2019 Patched in 5.1.2 (1737d)
WF-f8035ed9-d267-44da-9de4-cf3d6ece7059-wp-database-backupcritical · 9.8Missing Authorization

WP Database Backup <= 5.1.2 - Unauthenticated Settings Update to Remote Code Execution

Mar 24, 2019 Patched in 5.1.3 (1766d)
WF-76f9d37e-1339-4267-aaf6-38a591e97fa2-wp-database-backuphigh · 8.8Cross-Site Request Forgery (CSRF)

WP Database Backup <= 4.3.5 - Cross-Site Request Forgery

Oct 21, 2016 Patched in 4.3.6 (2650d)
CVE-2016-10874high · 8.8Cross-Site Request Forgery (CSRF)

WP Database Backup <= 4.3.2 - Cross-Site Request Forgery

Aug 4, 2016 Patched in 4.3.3 (2728d)
CVE-2016-10873medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Database Backup <= 4.3.2 - Cross-Site Scripting

Aug 3, 2016 Patched in 4.3.3 (2729d)
CVE-2016-10875medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Database Backup <= 4.3 - Cross-Site Scripting

Aug 1, 2016 Patched in 4.3.1 (2731d)
CVE-2016-10876high · 8.8Cross-Site Request Forgery (CSRF)

WP Database Backup <= 4.3 - Cross-Site Request Forgery

Apr 8, 2016 Patched in 4.3.1 (2846d)
WF-1a684ca7-0856-418e-9229-3e74dafb5c89-wp-database-backupmedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Database Backup < 3.4 - Authenticated Stored Cross-Site Scripting

Aug 20, 2015 Patched in 3.4 (3078d)
Code Analysis
Analyzed Mar 16, 2026

WP Database Backup – Unlimited Database & Files Backup by Backup for WP Code Analysis

Dangerous Functions
8
Raw SQL Queries
17
55 prepared
Unescaped Output
310
643 escaped
Nonce Checks
34
Capability Checks
30
File Operations
46
External Requests
17
Bundled Libraries
1

Dangerous Functions Found

shell_execif ( is_null( shell_exec( 'hash mysqldump 2>&1' ) ) ) { // phpcs:ignoreincludes\admin\class-wpdb-admin.php:2476
shell_execif ( ! shell_exec( 'echo WP Backup' ) ) { // phpcs:ignoreincludes\admin\class-wpdb-admin.php:2560
shell_exec$stderr = shell_exec( $cmd ); // phpcs:ignoreincludes\admin\class-wpdb-admin.php:2642
shell_execif (is_null(shell_exec('hash zip 2>&1'))) {includes\admin\class-wpdb-admin.php:3401
shell_exec$stderr = shell_exec('cd ' . escapeshellarg($this->get_root()) . ' && ' . escapeshellcmd($this->get_includes\admin\class-wpdb-admin.php:3441
shell_exec$stderr = shell_exec('cd ' . escapeshellarg($this->get_root()) . ' && ' . escapeshellcmd($this->get_includes\admin\class-wpdb-admin.php:3447
unserializereturn unserialize($ret['data']);includes\admin\Destination\Google\google-api-php-client\src\cache\Google_ApcCache.php:79
unserialize$data = unserialize($data);includes\admin\Destination\Google\google-api-php-client\src\cache\Google_FileCache.php:102

Bundled Libraries

DataTables

SQL Query Safety

76% prepared72 total queries

Output Escaping

67% escaped953 total outputs
Data Flows
All sanitized

Data Flow Analysis

16 flows
wp_db_backup_admin_init (includes\admin\class-wpdb-admin.php:155)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

WP Database Backup – Unlimited Database & Files Backup by Backup for WP Attack Surface

Entry Points21
Unprotected4

AJAX Handlers 19

authwp_ajax_wpdbbkp_send_query_messageincludes\admin\class-wpdb-admin.php:38
authwp_ajax_wpdbbkp_cloudbackup_dismiss_noticeincludes\admin\class-wpdb-admin.php:42
authwp_ajax_wpdbbkp_subscribe_to_news_letterincludes\admin\class-wpdbbkp-newsletter.php:18
authwp_ajax_wpdbbkp_check_fullbackup_statincludes\admin\cron-create-full-backup-incremental.php:162
authwp_ajax_wpdbbkp_start_cron_manualincludes\admin\cron-create-full-backup-incremental.php:182
authwp_ajax_wpdbbkp_get_progressincludes\admin\cron-create-full-backup-incremental.php:217
authwp_ajax_wpdbbkp_stop_cron_manualincludes\admin\cron-create-full-backup-incremental.php:1080
authwp_ajax_wpdbbkp_check_fullbackup_statincludes\admin\cron-create-full-backup.php:98
authwp_ajax_wpdbbkp_start_cron_manualincludes\admin\cron-create-full-backup.php:118
authwp_ajax_wpdbbkp_get_progressincludes\admin\cron-create-full-backup.php:152
authwp_ajax_wpdbbkp_stop_cron_manualincludes\admin\cron-create-full-backup.php:1074
authwp_ajax_test_generics3_connectionincludes\admin\Destination\GenericS3\class-wpdatabasebackupgenerics3.php:13
authwp_ajax_wpdbbkp_email_unsubscribeincludes\admin\filter.php:40
noprivwp_ajax_wpdbbkp_email_unsubscribeincludes\admin\filter.php:41
authwp_ajax_wpdbbkp_send_feedbackincludes\admin\mb-helper-functions.php:122
authwp_ajax_wpdbbkp_save_remote_tokenincludes\admin\mb-helper-functions.php:360
authwp_ajax_wpdbbkp_check_extract_statusincludes\features.php:5
authwp_ajax_wpdbbkp_upload_site_chunkincludes\features.php:22
authwp_ajax_wpdbbkp_extract_uploaded_siteincludes\features.php:45

REST API Routes 2

GET/wp-json/wpdbbkp/v1/cron_backup/(?P<token>[a-zA-Z0-9]+)includes\admin\cron-create-full-backup-incremental.php:141
GET/wp-json/wpdbbkp/v1/cron_backup/(?P<token>[a-zA-Z0-9]+)includes\admin\cron-create-full-backup.php:78
WordPress Hooks 50
actionadmin_initincludes\admin\class-wpdb-admin.php:29
actionadmin_initincludes\admin\class-wpdb-admin.php:30
actionadmin_menuincludes\admin\class-wpdb-admin.php:31
filtercron_schedulesincludes\admin\class-wpdb-admin.php:32
actionwpdbbkp_db_backup_eventincludes\admin\class-wpdb-admin.php:33
actioninitincludes\admin\class-wpdb-admin.php:34
actionwp_db_backup_completedincludes\admin\class-wpdb-admin.php:35
actionadmin_enqueue_scriptsincludes\admin\class-wpdb-admin.php:36
actionadmin_enqueue_scriptsincludes\admin\class-wpdb-admin.php:37
actionadmin_noticesincludes\admin\class-wpdb-admin.php:40
actionadmin_noticesincludes\admin\class-wpdb-admin.php:41
actionadmin_initincludes\admin\class-wpdb-admin.php:43
filterwpdbbkp_localize_filterincludes\admin\class-wpdbbkp-newsletter.php:17
actioninitincludes\admin\cron-create-full-backup-incremental.php:8
actionwpdbkup_event_fullbackupincludes\admin\cron-create-full-backup-incremental.php:30
filtercron_schedulesincludes\admin\cron-create-full-backup-incremental.php:41
actionwpincludes\admin\cron-create-full-backup-incremental.php:62
actionwpdbbkp_cron_backup_hook_dbincludes\admin\cron-create-full-backup-incremental.php:87
actionbackup_files_cron_newincludes\admin\cron-create-full-backup-incremental.php:89
filtercron_schedulesincludes\admin\cron-create-full-backup-incremental.php:104
actionwpincludes\admin\cron-create-full-backup-incremental.php:132
actionrest_api_initincludes\admin\cron-create-full-backup-incremental.php:138
actioninitincludes\admin\cron-create-full-backup.php:8
actionwpdbkup_event_fullbackupincludes\admin\cron-create-full-backup.php:41
actionwpdbbkp_backup_files_cronincludes\admin\cron-create-full-backup.php:43
filtercron_schedulesincludes\admin\cron-create-full-backup.php:59
actionrest_api_initincludes\admin\cron-create-full-backup.php:75
actionwp_db_backup_completedincludes\admin\Destination\Backblaze\class-wpdatabasebackupbb.php:15
actionwp_db_backup_completedincludes\admin\Destination\CloudDrive\class-wpdatabasebackupcd.php:15
actionwp_db_backup_completedincludes\admin\Destination\Dropbox\class-wpdbbackupdropbox.php:8
actionwp_db_backup_completedincludes\admin\Destination\Email\class-wpdbbackupemail.php:12
actionwp_db_backup_completedincludes\admin\Destination\FTP\class-wpdbbackupftp.php:8
actionwp_db_backup_completedincludes\admin\Destination\GenericS3\class-wpdatabasebackupgenerics3.php:12
actionwp_db_backup_completedincludes\admin\Destination\Google\class-wpdbbackupgoogle.php:12
actionwp_db_backup_completedincludes\admin\Destination\Local\class-wpdbbackuplocal.php:12
actionwp_db_backup_completedincludes\admin\Destination\S3\class-wpdatabasebackups3.php:12
actionwp_db_backup_completedincludes\admin\Destination\SFTP\class-wpdbbackupsftp.php:8
filterupgrader_pre_installincludes\admin\filter.php:8
actionadmin_enqueue_scriptsincludes\admin\mb-helper-functions.php:126
filteradmin_footerincludes\admin\mb-helper-functions.php:148
actionwp_db_backup_completedincludes\class-wpdbbackuplog.php:8
actionwpdbbkp_backup_completedincludes\class-wpdbfullbackuplog.php:2
filterwpdbbkp_process_db_fieldsincludes\features.php:4
filterwpdbbkp_sql_query_restoreincludes\features.php:791
actionwpdbbkp_database_backup_optionsincludes\features.php:816
actionwpdbbkp_full_backup_optionsincludes\features.php:891
filterwpdbbkp_fullback_cron_conditionincludes\features.php:957
filterwpdbbkp_dbback_cron_conditionincludes\features.php:992
filterwpdbbkp_dbback_cron_frequencyincludes\features.php:1022
actionadmin_initincludes\features.php:1086

Scheduled Events 8

wpdbbkp_db_backup_event
wpdbkup_event_fullbackup
wpdbkup_event_fullbackup
wpdbbkp_cron_backup_hook_db
backup_files_cron_new
wpdbkup_event_fullbackup
wpdbkup_event_fullbackup
wpdbbkp_backup_files_cron
Maintenance & Trust

WP Database Backup – Unlimited Database & Files Backup by Backup for WP Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 22, 2026
PHP min version5.6.20
Downloads2.2M

Community Trust

Rating88/100
Number of ratings101
Active installs30K
Alternatives

WP Database Backup – Unlimited Database & Files Backup by Backup for WP Alternatives

UpdraftPlus: WP Backup & Migration Plugin

UpdraftPlus: WP Backup & Migration Plugin

updraftplus

A
90

Backup, restore or migrate your WordPress website to another host or domain. Schedule backups or run manually. Migrate in minutes.

3.0M 14 CVEs
Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

duplicator

A
87

The best WordPress backup and migration plugin. Quickly and easily backup ,migrate, copy, move, or clone your site from one location to another.

1.0M 15 CVEs
Backuply – Backup, Restore, Migrate and Clone

Backuply – Backup, Restore, Migrate and Clone

backuply

A
90

Backup, restores, and migration with Backuply are fairly simple with a wide range of storage options from Local Backups, FTP to cloud options like AWS &hellip;

600K 5 CVEs
BackWPup – WordPress Backup & Restore Plugin

BackWPup – WordPress Backup & Restore Plugin

backwpup

B
83

Create a complete WordPress backup easily. Schedule automatic backups, store securely, and restore effortlessly with the best WordPress backup plugin!

500K 10 CVEs
Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid

boldgrid-backup

A
95

Automated backups, remote backup to Amazon S3 and Google Drive, stop website crashes before they happen and more. Total Upkeep is the backup solution &hellip;

60K 6 CVEs
Developer Profile

WP Database Backup – Unlimited Database & Files Backup by Backup for WP Developer Profile

Backup For WP

1 plugin · 30K total installs

70
trust score
Avg Security Score
87/100
Avg Patch Time
1927 days
View full developer profile
Detection Fingerprints

How We Detect WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-database-backup/assets/css/wp-database-backup-admin.css/wp-content/plugins/wp-database-backup/assets/css/wp-database-backup-front.css/wp-content/plugins/wp-database-backup/assets/js/wp-database-backup-admin.js/wp-content/plugins/wp-database-backup/assets/js/wp-database-backup-front.js
Script Paths
/wp-content/plugins/wp-database-backup/assets/js/wp-database-backup-admin.js/wp-content/plugins/wp-database-backup/assets/js/wp-database-backup-front.js
Version Parameters
wp-database-backup/assets/css/wp-database-backup-admin.css?ver=wp-database-backup/assets/css/wp-database-backup-front.css?ver=wp-database-backup/assets/js/wp-database-backup-admin.js?ver=wp-database-backup/assets/js/wp-database-backup-front.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpdbbkp-options-formwpdbbkp-backup-buttonwpdbbkp-backup-status
HTML Comments
<!-- WP Database Backup Settings --><!-- backup by Backup for WP -->
Data Attributes
data-wpdbbkp-actiondata-wpdbbkp-backup-type
JS Globals
wpdbbkp_ajax_object
REST Endpoints
/wp-json/wpdbbkp/v1/backup/wp-json/wpdbbkp/v1/restore
FAQ

Frequently Asked Questions about WP Database Backup – Unlimited Database & Files Backup by Backup for WP