CVE-2026-54839

Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups <= 2.0.9 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.0.10
Patched in
8d
Time to patch

Description

The Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.9. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=2.0.9
PublishedJune 18, 2026
Last updatedJune 25, 2026
Affected plugintrinity-backup

What Changed in the Fix

Changes introduced in v2.0.10

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This exploitation research plan targets **CVE-2026-54839**, an Unauthenticated Information Exposure vulnerability in the **Trinity Backup** plugin for WordPress. ### 1. Vulnerability Summary The Trinity Backup plugin stores full-site backup archives, metadata, and operational logs in a publicly acc…

Show full research plan

This exploitation research plan targets CVE-2026-54839, an Unauthenticated Information Exposure vulnerability in the Trinity Backup plugin for WordPress.

1. Vulnerability Summary

The Trinity Backup plugin stores full-site backup archives, metadata, and operational logs in a publicly accessible directory: wp-content/uploads/trinity-backup/. In versions up to and including 2.0.9, the plugin fails to properly secure this directory with an index.php (to prevent directory listing) or an .htaccess/web.config file (to deny direct access to backup files).

While the plugin uses a folder naming convention of {domain}-{date}-{time}-{random}, unauthenticated attackers can discover these backups if directory listing is enabled on the server or by accessing predictable metadata files like _operation_lock.json. This leads to the exposure of sensitive site data, including the entire WordPress database, configuration files (wp-config.php), and user information.

2. Attack Vector Analysis

  • Endpoint: Direct HTTP GET requests to the wp-content/uploads directory.
  • Target Files:
    • wp-content/uploads/trinity-backup/ (Directory Listing)
    • wp-content/uploads/trinity-backup/_operation_lock.json (Lock metadata)
    • wp-content/uploads/trinity-backup/{backup-id}/meta.json (Backup metadata
Research Findings
Static analysis — not yet PoC-verified

Summary

The Trinity Backup plugin for WordPress stores full-site backup archives and operational metadata in a publicly accessible directory within wp-content/uploads. Because the plugin fails to implement directory protection or authenticated download wrappers in versions up to 2.0.9, unauthenticated attackers can discover and download backups containing the entire site database and configuration.

Vulnerable Code

/* src/Core/BackupManager.php */

    public function __construct()
    {
        $uploads = wp_upload_dir();
        $this->backupDir = trailingslashit($uploads['basedir']) . 'trinity-backup';
    }

// ... lines 69-72 ...
                    'url' => trailingslashit($uploads['baseurl']) . 'trinity-backup/' . $backupId . '/' . basename($trinityPath),
                    'path' => $trinityPath,

---

/* src/Core/OperationLock.php */

    private function getLockPath(): string
    {
        $uploads = wp_upload_dir();
        $dir = trailingslashit($uploads['basedir']) . 'trinity-backup';
        if (!is_dir($dir)) {
            wp_mkdir_p($dir);
        }

        return $dir . '/' . self::LOCK_FILE;
    }

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/trinity-backup/2.0.9/src/Core/BackupManager.php /home/deploy/wp-safety.org/data/plugin-versions/trinity-backup/2.0.10/src/Core/BackupManager.php
--- /home/deploy/wp-safety.org/data/plugin-versions/trinity-backup/2.0.9/src/Core/BackupManager.php	2026-03-09 09:51:24.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/trinity-backup/2.0.10/src/Core/BackupManager.php	2026-05-20 17:58:00.000000000 +0000
@@ -17,8 +17,7 @@
 
     public function __construct()
     {
-        $uploads = wp_upload_dir();
-        $this->backupDir = trailingslashit($uploads['basedir']) . 'trinity-backup';
+        $this->backupDir = StorageSecurity::ensureBaseDirectory();
     }
 
     /**
@@ -33,8 +32,6 @@
             return $backups;
         }
 
-        $uploads = wp_upload_dir();
-
         // Find backups in subdirectories (domain-date-time-random)
         $dirs = glob($this->backupDir . '/*', GLOB_ONLYDIR);
         if ($dirs !== false) {
@@ -69,7 +66,7 @@
                     'filename' => $backupId . '.trinity',
                     'size' => filesize($trinityPath) ?: 0,
                     'created' => filemtime($trinityPath) ?: 0,
-                    'url' => trailingslashit($uploads['baseurl']) . 'trinity-backup/' . $backupId . '/' . basename($trinityPath),
+                    'url' => StorageSecurity::buildDownloadUrl($backupId),
                     'path' => $trinityPath,
                     'origin' => $origin,
                 ];
@@ -101,7 +98,7 @@
                     'filename' => $filename,
                     'size' => filesize($trinityPath) ?: 0,
                     'created' => filemtime($trinityPath) ?: 0,
-                    'url' => trailingslashit($uploads['baseurl']) . 'trinity-backup/' . $filename,
+                    'url' => StorageSecurity::buildDownloadUrl($id),
                     'path' => $trinityPath,
                     'origin' => $origin,
                 ];

Exploit Outline

The exploit targets the predictable storage location of site backups in the WordPress uploads directory. An attacker first attempts to access '/wp-content/uploads/trinity-backup/' directly; if directory listing is enabled, they can browse subdirectories to locate '.trinity' archive files. If listing is disabled, the attacker targets the fixed metadata file '/wp-content/uploads/trinity-backup/_operation_lock.json', which often leaks the directory name or backup ID of the current or most recent operation. With this information, the attacker constructs the direct path to the backup archive (e.g., '/wp-content/uploads/trinity-backup/{discovered-id}/{discovered-id}.trinity') and downloads it without authentication. The archive can then be extracted to recover the site's database, wp-config.php, and all files.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.