[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDh6ytw96VmoE71aMk7RG_bVqXsNWldyuSHwD01iwcJk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-39480","backupbliss-backup-migration-with-free-cloud-storage-unauthenticated-information-exposure","BackupBliss – Backup & Migration with Free Cloud Storage \u003C= 2.1.1 - Unauthenticated Information Exposure","The BackupBliss – Backup & Migration with Free Cloud Storage plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.1. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","backup-backup",null,"\u003C=2.1.1","2.1.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-04-08 00:00:00","2026-04-15 18:47:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0cfd7098-05c9-45c3-95eb-613894867743?source=api-prod",8,[22,23,24,25,26,27],"admin\u002Fcss\u002Fbmi-plugin.min.css","admin\u002Fjs\u002Fbackup-migration.min.js","analyst\u002Fassets\u002Fjs\u002Fcustomize.js","analyst\u002Fautoload.php","analyst\u002Fsrc\u002FAccount\u002FAccount.php","analyst\u002Fsrc\u002FAccount\u002FAccountDataFactory.php","researched",false,3,"# Research Plan: CVE-2026-39480 - BackupBliss Information Exposure\n\n## 1. Vulnerability Summary\nThe **BackupBliss – Backup & Migration with Free Cloud Storage** plugin (versions \u003C= 2.1.1) is vulnerable to **Unauthenticated Information Exposure** through its integrated \"Analyst\" tracking library. The library registers several AJAX actions intended for tracking and opt-in management. Specifically, the `analyst_install_verified` action (and potentially others) is registered without proper authentication or nonce checks in its handler, `onInstallVerifiedListener`. This allows unauthenticated attackers to trigger the action and receive a response containing sensitive configuration data, including the `clientSecret` and tracking identifiers stored in the `analyst_accounts_data` WordPress option.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `analyst_install_verified` or `analyst_install_verified_backup-backup` (inferred from `customize.js`).\n- **HTTP Method:** `POST`\n- **Authentication:** None (Unauthenticated).\n- **Parameters:**\n    - `action`: (Required) The AJAX action registered in `Account.php`.\n    - `plugin_id`: (Likely) Used as a suffix or parameter to identify the specific plugin instance.\n- **Preconditions:** The plugin must be active. The \"Analyst\" tracking component must have been initialized (usually happens on plugin activation).\n\n## ","The BackupBliss plugin for WordPress is vulnerable to sensitive information exposure via its integrated 'Analyst' tracking library. Unauthenticated attackers can trigger the analyst_install_verified AJAX action, which lacks proper authentication and nonce checks, to extract configuration data including the clientSecret and tracking identifiers.","\u002F\u002F analyst\u002Fsrc\u002FAccount\u002FAccount.php:255\npublic function registerHooks()\n{\n    register_activation_hook($this->basePluginPath, [&$this, 'onActivePluginListener']);\n    register_uninstall_hook($this->basePluginPath, ['Account\\Account', 'onUninstallPluginListener']);\n\n    $this->addFilter('plugin_action_links', [&$this, 'onRenderActionLinksHook']);\n\n    $this->addAjax('analyst_opt_in', [&$this, 'onOptInListener']);\n    $this->addAjax('analyst_opt_out', [&$this, 'onOptOutListener']);\n    $this->addAjax('analyst_plugin_deactivate', [&$this, 'onDeactivatePluginListener']);\n    $this->addAjax('analyst_install', [&$this, 'onInstallListener']);\n    $this->addAjax('analyst_skip_install', [&$this, 'onSkipInstallListener']);\n    $this->addAjax('analyst_install_verified', [&$this, 'onInstallVerifiedListener']);\n}","--- a\u002Fanalyst\u002Fsrc\u002FAccount\u002FAccount.php\n+++ b\u002Fanalyst\u002Fsrc\u002FAccount\u002FAccount.php\n@@ -390,6 +390,8 @@\n \n \tpublic function onInstallVerifiedListener()\n \t{\n+\t\t$this->verifyNonceAndPerms();\n+\n \t\t$id = $this->id;\n \t\tif (isset($_POST['plugin_id'])) {\n \t\t\t$id = sanitize_text_field($_POST['plugin_id']);","1. Identify a target site running BackupBliss (backup-backup) version \u003C= 2.1.1.\n2. Determine the internal Analyst plugin ID (typically 'backup-backup').\n3. Send an unauthenticated POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the parameter `action=analyst_install_verified_backup-backup` (or `analyst_install_verified` with `plugin_id=backup-backup`).\n4. The server will process the request without checking for a valid session or nonce.\n5. Capture the JSON response, which contains sensitive account details such as the `clientSecret` and internal tracking IDs stored in the `analyst_accounts_data` option.","gemini-3-flash-preview","2026-04-17 20:17:40","2026-04-17 20:18:55",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","2.1.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbackup-backup\u002Ftags\u002F2.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbackup-backup.2.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbackup-backup\u002Ftags\u002F2.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbackup-backup.2.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbackup-backup\u002Ftags"]