WP-Safety
CVE-2026-39480

BackupBliss – Backup & Migration with Free Cloud Storage <= 2.1.1 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.1.2
Patched in
8d
Time to patch

Description

The BackupBliss – Backup & Migration with Free Cloud Storage plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.1. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=2.1.1
PublishedApril 8, 2026
Last updatedApril 15, 2026
Affected pluginbackup-backup

What Changed in the Fix

Changes introduced in v2.1.2

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v2.1.1
Browse source Download .zip
Patched v2.1.2
Browse source Download .zip
Research Plan
Unverified

# Research Plan: CVE-2026-39480 - BackupBliss Information Exposure ## 1. Vulnerability Summary The **BackupBliss – Backup & Migration with Free Cloud Storage** plugin (versions <= 2.1.1) is vulnerable to **Unauthenticated Information Exposure** through its integrated "Analyst" tracking library. The…

Show full research plan

Research Plan: CVE-2026-39480 - BackupBliss Information Exposure

1. Vulnerability Summary

The BackupBliss – Backup & Migration with Free Cloud Storage plugin (versions <= 2.1.1) is vulnerable to Unauthenticated Information Exposure through its integrated "Analyst" tracking library. The library registers several AJAX actions intended for tracking and opt-in management. Specifically, the analyst_install_verified action (and potentially others) is registered without proper authentication or nonce checks in its handler, onInstallVerifiedListener. This allows unauthenticated attackers to trigger the action and receive a response containing sensitive configuration data, including the clientSecret and tracking identifiers stored in the analyst_accounts_data WordPress option.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: analyst_install_verified or analyst_install_verified_backup-backup (inferred from customize.js).
  • HTTP Method: POST
  • Authentication: None (Unauthenticated).
  • Parameters:
    • action: (Required) The AJAX action registered in Account.php.
    • plugin_id: (Likely) Used as a suffix or parameter to identify the specific plugin instance.
  • Preconditions: The plugin must be active. The "Analyst" tracking component must have been initialized (usually happens on plugin activation).

Research Findings
Static analysis — not yet PoC-verified

Summary

The BackupBliss plugin for WordPress is vulnerable to sensitive information exposure via its integrated 'Analyst' tracking library. Unauthenticated attackers can trigger the analyst_install_verified AJAX action, which lacks proper authentication and nonce checks, to extract configuration data including the clientSecret and tracking identifiers.

Vulnerable Code

// analyst/src/Account/Account.php:255
public function registerHooks()
{
    register_activation_hook($this->basePluginPath, [&$this, 'onActivePluginListener']);
    register_uninstall_hook($this->basePluginPath, ['Account\Account', 'onUninstallPluginListener']);

    $this->addFilter('plugin_action_links', [&$this, 'onRenderActionLinksHook']);

    $this->addAjax('analyst_opt_in', [&$this, 'onOptInListener']);
    $this->addAjax('analyst_opt_out', [&$this, 'onOptOutListener']);
    $this->addAjax('analyst_plugin_deactivate', [&$this, 'onDeactivatePluginListener']);
    $this->addAjax('analyst_install', [&$this, 'onInstallListener']);
    $this->addAjax('analyst_skip_install', [&$this, 'onSkipInstallListener']);
    $this->addAjax('analyst_install_verified', [&$this, 'onInstallVerifiedListener']);
}

Security Fix

--- a/analyst/src/Account/Account.php
+++ b/analyst/src/Account/Account.php
@@ -390,6 +390,8 @@
 
 	public function onInstallVerifiedListener()
 	{
+		$this->verifyNonceAndPerms();
+
 		$id = $this->id;
 		if (isset($_POST['plugin_id'])) {
 			$id = sanitize_text_field($_POST['plugin_id']);

Exploit Outline

1. Identify a target site running BackupBliss (backup-backup) version <= 2.1.1. 2. Determine the internal Analyst plugin ID (typically 'backup-backup'). 3. Send an unauthenticated POST request to `/wp-admin/admin-ajax.php` with the parameter `action=analyst_install_verified_backup-backup` (or `analyst_install_verified` with `plugin_id=backup-backup`). 4. The server will process the request without checking for a valid session or nonce. 5. Capture the JSON response, which contains sensitive account details such as the `clientSecret` and internal tracking IDs stored in the `analyst_accounts_data` option.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/0cfd7098-05c9-45c3-95eb-613894867743?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database