CVE-2025-2257
📋 TL;DR
This vulnerability allows authenticated attackers with administrator-level WordPress access to execute arbitrary code on the server via the compression_level parameter in the Total Upkeep plugin. The vulnerability affects all WordPress sites using the BoldGrid Total Upkeep plugin. Attackers can gain full control of affected WordPress installations and potentially the underlying server.
💻 Affected Systems
- Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
📦 What is this software?
Total Upkeep by Boldgrid
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, website defacement, and lateral movement to other systems on the network.
Likely Case
Website takeover, data exfiltration, malware installation, and backdoor persistence on the WordPress server.
If Mitigated
Limited impact if proper access controls prevent unauthorized administrator accounts and network segmentation contains the breach.
🎯 Exploit Status
Exploitation requires administrator credentials but is straightforward once access is obtained. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.16.11 or later
Vendor Advisory: https://wordpress.org/plugins/boldgrid-backup/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Total Upkeep' and click 'Update Now'. 4. Verify update completes successfully. 5. Clear any caching plugins or CDN caches.
🔧 Temporary Workarounds
Disable plugin temporarily
WordPressDeactivate the BoldGrid Total Upkeep plugin until patching is possible
wp plugin deactivate boldgrid-backup
Restrict administrator access
allImplement strict access controls and multi-factor authentication for WordPress administrator accounts
🧯 If You Can't Patch
- Remove administrator access from all non-essential users and implement strict role-based access controls
- Implement web application firewall rules to block suspicious proc_open parameter manipulation
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → BoldGrid Total Upkeep version numberCheck Version:
wp plugin get boldgrid-backup --field=versionVerify Fix Applied:
Verify plugin version is 1.16.11 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual proc_open commands in web server logs
- Multiple failed login attempts followed by successful administrator login
- Suspicious POST requests to admin-ajax.php with compression_level parameter
Network Indicators:
- Unusual outbound connections from web server to external IPs
- Command and control traffic patterns
SIEM Query:
source="web_server" AND ("proc_open" OR "compression_level") AND status=200🔗 References
- https://github.com/BoldGrid/boldgrid-backup/pull/622/files
- https://plugins.svn.wordpress.org/boldgrid-backup/tags/1.16.7/admin/compressor/class-boldgrid-backup-admin-compressor-system-zip.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3257988%40boldgrid-backup&new=3257988%40boldgrid-backup&sfp_email=&sfph_mail=#file9
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec3cc3e-c11b-43b6-9dd0-caa5ccfb90c8?source=cve
