CVE-2025-15041
📋 TL;DR
This vulnerability in the BackWPup WordPress plugin allows authenticated attackers with subscriber-level access or higher to modify WordPress site options without proper authorization. Attackers can change the default user registration role to administrator and enable user registration, granting themselves full administrative access. All WordPress sites running BackWPup version 5.6.2 or earlier are affected.
💻 Affected Systems
- BackWPup - WordPress Backup & Restore Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers gain administrative privileges, install backdoors, exfiltrate data, deface the site, or use it for further attacks.
Likely Case
Attackers create administrator accounts for themselves, gaining full control over the WordPress installation and potentially the server.
If Mitigated
If proper access controls and monitoring are in place, unauthorized option changes would be detected and blocked before privilege escalation occurs.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has any WordPress user account.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.6.3
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3443073%40backwpup&new=3443073%40backwpup&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find BackWPup and click 'Update Now'. 4. Verify version is 5.6.3 or higher.
🔧 Temporary Workarounds
Disable BackWPup Plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate backwpup
Restrict User Registration
allDisable user registration in WordPress settings to prevent account creation
🧯 If You Can't Patch
- Implement strict access controls and monitor for unauthorized option changes
- Disable the BackWPup plugin completely and use alternative backup solutions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → BackWPup version. If version is 5.6.2 or lower, you are vulnerable.Check Version:
wp plugin list --name=backwpup --field=versionVerify Fix Applied:
After updating, verify BackWPup version is 5.6.3 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unauthorized modifications to wp_options table
- Changes to default_role or users_can_register options
- New administrator account creation from unexpected IPs
Network Indicators:
- POST requests to /wp-json/backwpup/v1/site-options endpoint from non-admin users
SIEM Query:
source="wordpress.log" AND ("default_role" OR "users_can_register") AND action="modified" AND user_role!="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/backwpup/tags/5.6.1/src/Jobs/API/Rest.php?marks=88,337,788-812#L88
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3443073%40backwpup&new=3443073%40backwpup&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2ab8f440-2910-41a3-8bbc-afb4cafd33b5?source=cve
