[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fG-PZXZ2B14Svv698jD3ZTtfKzwW86oxx1VEFeCa3TU8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-54839","trinity-backup-backup-migrate-restore-clone-schedule-backups-unauthenticated-information-exposure","Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups \u003C= 2.0.9 - Unauthenticated Information Exposure","The Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.9. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","trinity-backup",null,"\u003C=2.0.9","2.0.10","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-06-18 00:00:00","2026-06-25 13:34:42",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9d0af9d0-eed7-44de-8c2f-2fe6a04d6d0e?source=api-prod",8,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fmodern.css","assets\u002Ftrinity-backup.js","readme.txt","src\u002FCore\u002FBackupManager.php","src\u002FCore\u002FCompatibilityChecker.php","src\u002FCore\u002FOperationLock.php","src\u002FCore\u002FPlugin.php","src\u002FCore\u002FRouter.php","researched",false,3,"This exploitation research plan targets **CVE-2026-54839**, an Unauthenticated Information Exposure vulnerability in the **Trinity Backup** plugin for WordPress.\n\n### 1. Vulnerability Summary\nThe Trinity Backup plugin stores full-site backup archives, metadata, and operational logs in a publicly accessible directory: `wp-content\u002Fuploads\u002Ftrinity-backup\u002F`. In versions up to and including **2.0.9**, the plugin fails to properly secure this directory with an `index.php` (to prevent directory listing) or an `.htaccess`\u002F`web.config` file (to deny direct access to backup files). \n\nWhile the plugin uses a folder naming convention of `{domain}-{date}-{time}-{random}`, unauthenticated attackers can discover these backups if directory listing is enabled on the server or by accessing predictable metadata files like `_operation_lock.json`. This leads to the exposure of sensitive site data, including the entire WordPress database, configuration files (`wp-config.php`), and user information.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** Direct HTTP GET requests to the `wp-content\u002Fuploads` directory.\n*   **Target Files:** \n    *   `wp-content\u002Fuploads\u002Ftrinity-backup\u002F` (Directory Listing)\n    *   `wp-content\u002Fuploads\u002Ftrinity-backup\u002F_operation_lock.json` (Lock metadata)\n    *   `wp-content\u002Fuploads\u002Ftrinity-backup\u002F{backup-id}\u002Fmeta.json` (Backup metadata","The Trinity Backup plugin for WordPress stores full-site backup archives and operational metadata in a publicly accessible directory within wp-content\u002Fuploads. Because the plugin fails to implement directory protection or authenticated download wrappers in versions up to 2.0.9, unauthenticated attackers can discover and download backups containing the entire site database and configuration.","\u002F* src\u002FCore\u002FBackupManager.php *\u002F\n\n    public function __construct()\n    {\n        $uploads = wp_upload_dir();\n        $this->backupDir = trailingslashit($uploads['basedir']) . 'trinity-backup';\n    }\n\n\u002F\u002F ... lines 69-72 ...\n                    'url' => trailingslashit($uploads['baseurl']) . 'trinity-backup\u002F' . $backupId . '\u002F' . basename($trinityPath),\n                    'path' => $trinityPath,\n\n---\n\n\u002F* src\u002FCore\u002FOperationLock.php *\u002F\n\n    private function getLockPath(): string\n    {\n        $uploads = wp_upload_dir();\n        $dir = trailingslashit($uploads['basedir']) . 'trinity-backup';\n        if (!is_dir($dir)) {\n            wp_mkdir_p($dir);\n        }\n\n        return $dir . '\u002F' . self::LOCK_FILE;\n    }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftrinity-backup\u002F2.0.9\u002Fsrc\u002FCore\u002FBackupManager.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftrinity-backup\u002F2.0.10\u002Fsrc\u002FCore\u002FBackupManager.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftrinity-backup\u002F2.0.9\u002Fsrc\u002FCore\u002FBackupManager.php\t2026-03-09 09:51:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftrinity-backup\u002F2.0.10\u002Fsrc\u002FCore\u002FBackupManager.php\t2026-05-20 17:58:00.000000000 +0000\n@@ -17,8 +17,7 @@\n \n     public function __construct()\n     {\n-        $uploads = wp_upload_dir();\n-        $this->backupDir = trailingslashit($uploads['basedir']) . 'trinity-backup';\n+        $this->backupDir = StorageSecurity::ensureBaseDirectory();\n     }\n \n     \u002F**\n@@ -33,8 +32,6 @@\n             return $backups;\n         }\n \n-        $uploads = wp_upload_dir();\n-\n         \u002F\u002F Find backups in subdirectories (domain-date-time-random)\n         $dirs = glob($this->backupDir . '\u002F*', GLOB_ONLYDIR);\n         if ($dirs !== false) {\n@@ -69,7 +66,7 @@\n                     'filename' => $backupId . '.trinity',\n                     'size' => filesize($trinityPath) ?: 0,\n                     'created' => filemtime($trinityPath) ?: 0,\n-                    'url' => trailingslashit($uploads['baseurl']) . 'trinity-backup\u002F' . $backupId . '\u002F' . basename($trinityPath),\n+                    'url' => StorageSecurity::buildDownloadUrl($backupId),\n                     'path' => $trinityPath,\n                     'origin' => $origin,\n                 ];\n@@ -101,7 +98,7 @@\n                     'filename' => $filename,\n                     'size' => filesize($trinityPath) ?: 0,\n                     'created' => filemtime($trinityPath) ?: 0,\n-                    'url' => trailingslashit($uploads['baseurl']) . 'trinity-backup\u002F' . $filename,\n+                    'url' => StorageSecurity::buildDownloadUrl($id),\n                     'path' => $trinityPath,\n                     'origin' => $origin,\n                 ];","The exploit targets the predictable storage location of site backups in the WordPress uploads directory. An attacker first attempts to access '\u002Fwp-content\u002Fuploads\u002Ftrinity-backup\u002F' directly; if directory listing is enabled, they can browse subdirectories to locate '.trinity' archive files. If listing is disabled, the attacker targets the fixed metadata file '\u002Fwp-content\u002Fuploads\u002Ftrinity-backup\u002F_operation_lock.json', which often leaks the directory name or backup ID of the current or most recent operation. With this information, the attacker constructs the direct path to the backup archive (e.g., '\u002Fwp-content\u002Fuploads\u002Ftrinity-backup\u002F{discovered-id}\u002F{discovered-id}.trinity') and downloads it without authentication. The archive can then be extracted to recover the site's database, wp-config.php, and all files.","gemini-3-flash-preview","2026-06-25 21:23:30","2026-06-25 21:25:09",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.0.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftrinity-backup\u002Ftags\u002F2.0.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftrinity-backup.2.0.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftrinity-backup\u002Ftags\u002F2.0.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftrinity-backup.2.0.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftrinity-backup\u002Ftags"]