Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups <= 2.0.9 - Unauthenticated Information Exposure
Description
The Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.9. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=2.0.9What Changed in the Fix
Changes introduced in v2.0.10
Source Code
WordPress.org SVNThis exploitation research plan targets **CVE-2026-54839**, an Unauthenticated Information Exposure vulnerability in the **Trinity Backup** plugin for WordPress. ### 1. Vulnerability Summary The Trinity Backup plugin stores full-site backup archives, metadata, and operational logs in a publicly acc…
Show full research plan
This exploitation research plan targets CVE-2026-54839, an Unauthenticated Information Exposure vulnerability in the Trinity Backup plugin for WordPress.
1. Vulnerability Summary
The Trinity Backup plugin stores full-site backup archives, metadata, and operational logs in a publicly accessible directory: wp-content/uploads/trinity-backup/. In versions up to and including 2.0.9, the plugin fails to properly secure this directory with an index.php (to prevent directory listing) or an .htaccess/web.config file (to deny direct access to backup files).
While the plugin uses a folder naming convention of {domain}-{date}-{time}-{random}, unauthenticated attackers can discover these backups if directory listing is enabled on the server or by accessing predictable metadata files like _operation_lock.json. This leads to the exposure of sensitive site data, including the entire WordPress database, configuration files (wp-config.php), and user information.
2. Attack Vector Analysis
- Endpoint: Direct HTTP GET requests to the
wp-content/uploadsdirectory. - Target Files:
wp-content/uploads/trinity-backup/(Directory Listing)wp-content/uploads/trinity-backup/_operation_lock.json(Lock metadata)wp-content/uploads/trinity-backup/{backup-id}/meta.json(Backup metadata
Summary
The Trinity Backup plugin for WordPress stores full-site backup archives and operational metadata in a publicly accessible directory within wp-content/uploads. Because the plugin fails to implement directory protection or authenticated download wrappers in versions up to 2.0.9, unauthenticated attackers can discover and download backups containing the entire site database and configuration.
Vulnerable Code
/* src/Core/BackupManager.php */ public function __construct() { $uploads = wp_upload_dir(); $this->backupDir = trailingslashit($uploads['basedir']) . 'trinity-backup'; } // ... lines 69-72 ... 'url' => trailingslashit($uploads['baseurl']) . 'trinity-backup/' . $backupId . '/' . basename($trinityPath), 'path' => $trinityPath, --- /* src/Core/OperationLock.php */ private function getLockPath(): string { $uploads = wp_upload_dir(); $dir = trailingslashit($uploads['basedir']) . 'trinity-backup'; if (!is_dir($dir)) { wp_mkdir_p($dir); } return $dir . '/' . self::LOCK_FILE; }
Security Fix
@@ -17,8 +17,7 @@ public function __construct() { - $uploads = wp_upload_dir(); - $this->backupDir = trailingslashit($uploads['basedir']) . 'trinity-backup'; + $this->backupDir = StorageSecurity::ensureBaseDirectory(); } /** @@ -33,8 +32,6 @@ return $backups; } - $uploads = wp_upload_dir(); - // Find backups in subdirectories (domain-date-time-random) $dirs = glob($this->backupDir . '/*', GLOB_ONLYDIR); if ($dirs !== false) { @@ -69,7 +66,7 @@ 'filename' => $backupId . '.trinity', 'size' => filesize($trinityPath) ?: 0, 'created' => filemtime($trinityPath) ?: 0, - 'url' => trailingslashit($uploads['baseurl']) . 'trinity-backup/' . $backupId . '/' . basename($trinityPath), + 'url' => StorageSecurity::buildDownloadUrl($backupId), 'path' => $trinityPath, 'origin' => $origin, ]; @@ -101,7 +98,7 @@ 'filename' => $filename, 'size' => filesize($trinityPath) ?: 0, 'created' => filemtime($trinityPath) ?: 0, - 'url' => trailingslashit($uploads['baseurl']) . 'trinity-backup/' . $filename, + 'url' => StorageSecurity::buildDownloadUrl($id), 'path' => $trinityPath, 'origin' => $origin, ];
Exploit Outline
The exploit targets the predictable storage location of site backups in the WordPress uploads directory. An attacker first attempts to access '/wp-content/uploads/trinity-backup/' directly; if directory listing is enabled, they can browse subdirectories to locate '.trinity' archive files. If listing is disabled, the attacker targets the fixed metadata file '/wp-content/uploads/trinity-backup/_operation_lock.json', which often leaks the directory name or backup ID of the current or most recent operation. With this information, the attacker constructs the direct path to the backup archive (e.g., '/wp-content/uploads/trinity-backup/{discovered-id}/{discovered-id}.trinity') and downloads it without authentication. The archive can then be extracted to recover the site's database, wp-config.php, and all files.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.