CVE-2025-11380
📋 TL;DR
The Everest Backup WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to retrieve backup file locations when a backup is running. This affects all WordPress sites using Everest Backup plugin versions 2.3.5 and earlier. Attackers can potentially download sensitive backup files containing site data.
💻 Affected Systems
- Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers download complete site backups containing sensitive data like database credentials, user information, and configuration files, leading to full site compromise.
Likely Case
Attackers access backup files containing sensitive but non-critical data, potentially exposing user information or site configuration details.
If Mitigated
With proper access controls and monitoring, impact is limited to information disclosure of backup file paths without actual file access.
🎯 Exploit Status
Exploitation requires sending crafted AJAX requests to the vulnerable endpoint while backups are running
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.6 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find Everest Backup plugin
4. Click 'Update Now' if available
5. Alternatively, download version 2.3.6+ from WordPress repository
6. Deactivate old version and upload new version
7. Activate updated plugin
🔧 Temporary Workarounds
Disable Everest Backup Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate everest-backup
Restrict AJAX Access
apacheBlock access to the vulnerable AJAX endpoint via web application firewall or .htaccess
RewriteEngine On
RewriteCond %{QUERY_STRING} action=everest_process_status
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
🧯 If You Can't Patch
- Disable Everest Backup plugin completely
- Implement strict access controls to backup directories and files
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Everest Backup for version number. If version is 2.3.5 or lower, you are vulnerable.Check Version:
wp plugin get everest-backup --field=versionVerify Fix Applied:
After updating, verify Everest Backup plugin shows version 2.3.6 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests to /wp-admin/admin-ajax.php with action=everest_process_status from unauthenticated users
- Multiple failed authentication attempts followed by AJAX requests
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=everest_process_status parameter from external IPs
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND query="*action=everest_process_status*" AND user="-"