CVE-2025-10579
BackWPup 5 - 5.5.0 - Missing Authorization to Sensitive Information Exposure
mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
5.5.1
Patched in
5d
Time to patch
Description
The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'backwpup_working' AJAX action in versions 5 through 5.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve access to a back-up's filename while a backup is running. This information has little value on it's own, but could be used to aid in a brute force attack to retrieve back-up contents in limited environments (i.e. NGINX).
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NAttack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability
Technical Details
Affected versions
>=5 <=5.5.0PublishedOctober 24, 2025
Last updatedOctober 29, 2025
Affected pluginbackwpup
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.