CVE-2020-36848 – The Total Upkeep WordPress backup plugin expose... (How to Fix)

Q: What is the severity of CVE-2020-36848?

CVE-2020-36848 has a CVSS score of 7.5 (HIGH). The Total Upkeep WordPress backup plugin exposes sensitive information through publicly accessible files (env-info.php and restore-info.json), allowing unauthenticated attackers to discover backup file locations. This affects all WordPress sites using the plugin up to version 1.14.9. Attackers can download backup files which may contain sensitive data like database credentials and site content.

📋 TL;DR

The Total Upkeep WordPress backup plugin exposes sensitive information through publicly accessible files (env-info.php and restore-info.json), allowing unauthenticated attackers to discover backup file locations. This affects all WordPress sites using the plugin up to version 1.14.9. Attackers can download backup files which may contain sensitive data like database credentials and site content.

💻 Affected Systems

Products:

Total Upkeep - WordPress Backup Plugin plus Restore & Migrate by BoldGrid

Versions: All versions up to and including 1.14.9

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with the vulnerable plugin version installed and activated.

📦 What is this software?

Total Upkeep by Boldgrid

View all CVEs affecting Total Upkeep →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers download complete site backups containing database credentials, admin passwords, user data, and site files, leading to full site compromise, data theft, and potential credential reuse attacks.

🟠

Likely Case

Attackers locate and download backup files containing sensitive configuration data, database dumps, and potentially user information, enabling further attacks or data exfiltration.

🟢

If Mitigated

With proper access controls and monitoring, exposure is limited to file discovery only, preventing actual backup file downloads.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Metasploit module available, simple HTTP requests to exposed files reveal backup locations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.14.10 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2439376/boldgrid-backup

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Total Upkeep' and click 'Update Now'. 4. Verify version is 1.14.10 or higher.

🔧 Temporary Workarounds

Block access to vulnerable files

linux

Add .htaccess rules to block public access to env-info.php and restore-info.json files

# Add to .htaccess in WordPress root directory
<Files "env-info.php">
    Order Allow,Deny
    Deny from all
</Files>
<Files "restore-info.json">
    Order Allow,Deny
    Deny from all
</Files>

Remove vulnerable files

linux

Delete the exposed files from the plugin directory

rm /path/to/wordpress/wp-content/plugins/boldgrid-backup/includes/class-boldgrid-backup-admin/partials/env-info.php
rm /path/to/wordpress/wp-content/plugins/boldgrid-backup/includes/class-boldgrid-backup-admin/partials/restore-info.json

🧯 If You Can't Patch

Disable the Total Upkeep plugin immediately
Implement web application firewall rules to block requests to env-info.php and restore-info.json

🔍 How to Verify

Check if Vulnerable:

Visit https://yoursite.com/wp-content/plugins/boldgrid-backup/includes/class-boldgrid-backup-admin/partials/env-info.php - if accessible, you're vulnerable.

Check Version:

wp plugin get boldgrid-backup --field=version

Verify Fix Applied:

After updating, attempt to access the env-info.php and restore-info.json files - they should return 403 or 404 errors.

📡 Detection & Monitoring

Log Indicators:

HTTP 200 responses to /wp-content/plugins/boldgrid-backup/includes/class-boldgrid-backup-admin/partials/env-info.php
HTTP 200 responses to /wp-content/plugins/boldgrid-backup/includes/class-boldgrid-backup-admin/partials/restore-info.json
Unusual file downloads from backup directories

Network Indicators:

Requests to backup file paths discovered via the exposed files
Large outbound transfers of backup files

SIEM Query:

source="web_logs" AND (uri="/wp-content/plugins/boldgrid-backup/includes/class-boldgrid-backup-admin/partials/env-info.php" OR uri="/wp-content/plugins/boldgrid-backup/includes/class-boldgrid-backup-admin/partials/restore-info.json") AND response="200"

📊 Metadata

CVE ID: CVE-2020-36848

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 56.2% exploit probability (98th percentile)

Published: July 12, 2025

Last Updated: July 29, 2025

🔗 References

https://plugins.trac.wordpress.org/changeset/2439376/boldgrid-backup Patch
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/http/wp_total_upkeep_downloader.rb Exploit
https://wpscan.com/vulnerability/d35c19d9-8586-4c5b-9a01-44739cbeee19/ Exploit,Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/86a5adaf-02b7-4b42-a048-8bc01f07656b?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36848, you might also want to check these: