CVE-2025-10726
📋 TL;DR
The WPRecovery WordPress plugin contains an unauthenticated SQL injection vulnerability that allows attackers to extract sensitive database information and delete arbitrary files on the server. This affects all versions up to and including 2.0. Any WordPress site using the vulnerable plugin is at risk.
💻 Affected Systems
- WPRecovery WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including user credentials, sensitive data exfiltration, and arbitrary file deletion leading to site destruction or server takeover.
Likely Case
Database information theft (user data, passwords, configuration) and selective file deletion causing site disruption.
If Mitigated
Limited impact if proper WAF rules block SQL injection patterns and file deletion attempts.
🎯 Exploit Status
SQL injection via 'data[id]' parameter is straightforward. Combined file deletion capability increases attack impact.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
1. Immediately disable and remove the WPRecovery plugin from all WordPress installations. 2. Check for any unauthorized database changes or file deletions. 3. Monitor for alternative backup solutions that follow WordPress security best practices.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allImplement WAF rules to block SQL injection patterns targeting the 'data[id]' parameter and file deletion attempts via unlink() function.
File Permission Restrictions
linuxRestrict write and delete permissions on critical WordPress directories to prevent arbitrary file deletion.
chmod 755 wp-content/plugins/wprecovery/
chmod 644 wp-content/plugins/wprecovery/*.php
🧯 If You Can't Patch
- Immediately disable the WPRecovery plugin via WordPress admin or by renaming its directory
- Implement network-level blocking of requests to the vulnerable delete_backup.php and index.php endpoints
🔍 How to Verify
Check if Vulnerable:
Check if WPRecovery plugin is installed and active in WordPress plugins list. Verify version is 2.0 or earlier.Check Version:
wp plugin list --name=wprecovery --field=version (if WP-CLI installed)Verify Fix Applied:
Confirm WPRecovery plugin is completely removed from wp-content/plugins directory and no longer appears in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- File deletion events in system logs
- HTTP requests to delete_backup.php with SQL-like parameters
Network Indicators:
- POST/GET requests containing SQL injection patterns in 'data[id]' parameter
- Requests to plugin endpoints from unexpected sources
SIEM Query:
source="web_logs" AND (uri="*delete_backup.php*" OR uri="*index.php*") AND (param="*data[id]*" AND value="*' OR *" OR value="*; *")🔗 References
- https://plugins.svn.wordpress.org/wprecovery/trunk/delete_backup.php
- https://plugins.svn.wordpress.org/wprecovery/trunk/index.php
- https://plugins.trac.wordpress.org/browser/wprecovery/tags/2.0/delete_backup.php#L5
- https://plugins.trac.wordpress.org/browser/wprecovery/tags/2.0/index.php#L166
- https://www.wordfence.com/threat-intel/vulnerabilities/id/15880d3b-87de-4b59-878c-e36e73c45e8a?source=cve
