CVE-2025-28954 – A Cross-Site Request Forgery (CSRF) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-28954?

CVE-2025-28954 has a CVSS score of 7.4 (HIGH). A Cross-Site Request Forgery (CSRF) vulnerability in the wphobby Backwp WordPress plugin allows attackers to trick authenticated administrators into performing unauthorized actions, specifically arbitrary file deletion via path traversal. This affects all WordPress sites running Backwp plugin versions up to 2.0.2. Attackers can delete critical files when administrators visit malicious web pages while logged in.

📋 TL;DR

A Cross-Site Request Forgery (CSRF) vulnerability in the wphobby Backwp WordPress plugin allows attackers to trick authenticated administrators into performing unauthorized actions, specifically arbitrary file deletion via path traversal. This affects all WordPress sites running Backwp plugin versions up to 2.0.2. Attackers can delete critical files when administrators visit malicious web pages while logged in.

💻 Affected Systems

Products:

wphobby Backwp WordPress plugin

Versions: n/a through 2.0.2

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress administrator to be authenticated and visit a malicious page. The vulnerability combines CSRF with path traversal to achieve arbitrary file deletion.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise through deletion of WordPress core files, configuration files, or database backups, leading to permanent data loss and site unavailability.

🟠

Likely Case

Selective file deletion causing site functionality disruption, content loss, or defacement through removal of theme/plugin files.

🟢

If Mitigated

No impact if proper CSRF protections are implemented or administrators don't visit malicious sites while authenticated.

🌐 Internet-Facing: HIGH - WordPress sites are internet-facing by design, and CSRF attacks can be delivered via any website the administrator visits.

🏢 Internal Only: MEDIUM - Internal users could still be targeted via phishing emails or compromised internal sites, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick administrators into visiting malicious pages. The technical exploit is simple once the administrator is lured.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.3 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/backwp/vulnerability/wordpress-backwp-plugin-2-0-2-csrf-to-arbitrary-file-deletion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Backwp plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.0.3+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Backwp Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate backwp

Implement CSRF Protection Headers

linux

Add security headers to WordPress to help prevent CSRF attacks

Add to .htaccess: Header set X-Frame-Options "SAMEORIGIN"
Add to .htaccess: Header set Content-Security-Policy "frame-ancestors 'self'"

🧯 If You Can't Patch

Remove Backwp plugin entirely if not essential
Implement strict access controls: limit administrator accounts, use separate browsers for admin vs browsing, enforce strong authentication

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Backwp version. If version is 2.0.2 or lower, you are vulnerable.

Check Version:

wp plugin get backwp --field=version

Verify Fix Applied:

Verify Backwp plugin version is 2.0.3 or higher in WordPress admin plugins page.

📡 Detection & Monitoring

Log Indicators:

Unexpected file deletion events in WordPress debug logs
404 errors for known existing files
Plugin activation/deactivation logs for Backwp

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with file deletion parameters from unexpected referrers

SIEM Query:

source="wordpress.log" AND ("file deleted" OR "unlink" OR "rmdir") AND plugin="backwp"

📊 Metadata

CVE ID: CVE-2025-28954

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

CWE: CWE-352

EPSS Score: 0.02% exploit probability (3.3th percentile)

Published: June 6, 2025

Last Updated: June 6, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/backwp/vulnerability/wordpress-backwp-plugin-2-0-2-csrf-to-arbitrary-file-deletion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28954, you might also want to check these: