Description
WordPress Simple-Backup 2.7.11 contains multiple vulnerabilities that allow unauthenticated attackers to delete arbitrary files and download sensitive files by manipulating the delete_backup_file and download_backup_file parameters in tools.php. Attackers can exploit insufficient input validation using directory traversal techniques to access wp-config.php, database dumps, and other sensitive files, or delete critical files .htaccess to expose backup directories.
Published: 2026-06-15
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Simple-Backup 2.7.11 allows an attacker to delete and download arbitrary files by manipulating the delete_backup_file and download_backup_file parameters in tools.php. The plugin fails to properly validate user input, enabling directory traversal that can target critical files such as wp-config.php, database dumps, or .htaccess. These weaknesses allow unauthenticated attackers to compromise the confidentiality, integrity, and availability of the WordPress installation, potentially exposing sensitive data or disabling essential security controls.

Affected Systems

The vulnerability affects the ChrisHurst Simple Backup plugin for WordPress, specifically version 2.7.11. No other affected versions are listed in the CNA data.

Risk and Exploitability

With a CVSS score of 8.7, this issue is considered high severity. The EPSS score is < 1%, indicating a very low but nonzero probability of exploitation, and the plugin does not enforce authentication. Based on the description, it is inferred that an attacker can target the publicly exposed tools.php endpoint using unauthenticated HTTP requests with crafted delete_backup_file or download_backup_file parameters to trigger directory traversal. An attacker can simply request the vulnerable URL with crafted parameters from any network location that can reach the WordPress site, making the risk immediate for unpatched deployments.

Generated by OpenCVE AI on June 18, 2026 at 03:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Simple Backup plugin to the latest version that contains the fix for CVE-2016-20076, or uninstall the plugin if it is no longer needed.
  • If an update is not available, restrict access to tools.php by configuring the web server to require authentication or by using .htaccess rules that deny unauthenticated requests.
  • Verify file permissions on critical WordPress configuration files (e.g., wp-config.php, .htaccess) and ensure they are not publicly writable or readable, thereby reducing the impact of any potential exploitation.

Generated by OpenCVE AI on June 18, 2026 at 03:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Chrishurst
Chrishurst simple Backup
Wordpress
Wordpress wordpress
Vendors & Products Chrishurst
Chrishurst simple Backup
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description WordPress Simple-Backup 2.7.11 contains multiple vulnerabilities that allow unauthenticated attackers to delete arbitrary files and download sensitive files by manipulating the delete_backup_file and download_backup_file parameters in tools.php. Attackers can exploit insufficient input validation using directory traversal techniques to access wp-config.php, database dumps, and other sensitive files, or delete critical files .htaccess to expose backup directories.
Title WordPress Simple-Backup 2.7.11 Arbitrary File Deletion and Download
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Chrishurst Simple Backup
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-15T14:50:06.600Z

Reserved: 2026-06-15T11:43:52.998Z

Link: CVE-2016-20076

cve-icon Vulnrichment

Updated: 2026-06-15T14:50:00.704Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T14:16:30.940

Modified: 2026-06-15T20:50:47.973

Link: CVE-2016-20076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:09:23Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')