CVE-2025-10579
📋 TL;DR
The BackWPup WordPress plugin up to version 5.5.0 has an authorization vulnerability where authenticated users with Subscriber-level access or higher can retrieve backup filenames during backup operations. This information disclosure could assist in brute-force attacks against backup files in specific server configurations like NGINX. All WordPress sites using vulnerable BackWPup versions are affected.
💻 Affected Systems
- BackWPup - WordPress Backup & Restore Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could combine filename disclosure with brute-force attacks to download sensitive backup files containing database credentials, user data, and site configuration.
Likely Case
Limited information disclosure revealing backup filenames, which alone has minimal impact but could facilitate further attacks in specific environments.
If Mitigated
With proper file permissions and web server configuration, the disclosed filename provides no meaningful access to backup contents.
🎯 Exploit Status
Exploitation requires authenticated access and specific server configurations (like NGINX) where backup files are accessible via web server.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.5.1 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find BackWPup and click 'Update Now'. 4. Verify version is 5.5.1 or higher.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
WordPressRemove or restrict access to the vulnerable 'backwpup_working' AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_backwpup_working', 'backwpup_working');
🧯 If You Can't Patch
- Restrict backup file access via web server configuration (e.g., block .zip/.tar access in NGINX/Apache)
- Remove Subscriber and higher role users who don't need backup access
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → BackWPup version. If version is 5.5.0 or lower, you are vulnerable.Check Version:
wp plugin list --name=backwpup --field=version (if WP-CLI installed)Verify Fix Applied:
Confirm BackWPup version is 5.5.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple failed attempts to access backup files with predictable names
- Unusual AJAX requests to 'admin-ajax.php' with action 'backwpup_working' from non-admin users
Network Indicators:
- Pattern of requests to backup files following AJAX calls to backwpup_working endpoint
SIEM Query:
source="web_logs" AND (uri="*/admin-ajax.php*action=backwpup_working*" OR uri="*.zip" OR uri="*.tar*")🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3381187%40backwpup%2Ftrunk&old=3362645%40backwpup%2Ftrunk&sfp_email=&sfph_mail=#file23
- https://research.cleantalk.org/cve-2025-10579
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1e9a1484-2000-47fa-9890-fa02eddabcd9?source=cve
