Description
WordPress Simple-Backup 2.7.11 contains multiple vulnerabilities that allow unauthenticated attackers to delete arbitrary files and download sensitive files by manipulating the delete_backup_file and download_backup_file parameters in tools.php. Attackers can exploit insufficient input validation using directory traversal techniques to access wp-config.php, database dumps, and other sensitive files, or delete critical files .htaccess to expose backup directories.
Published: 2026-06-15
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Simple-Backup 2.7.11 allows an attacker to delete and download arbitrary files by manipulating the delete_backup_file and download_backup_file parameters in tools.php. The plugin fails to properly validate user input, enabling directory traversal that can target critical files such as wp-config.php, database dumps, or .htaccess. These weaknesses allow unauthenticated attackers to compromise the confidentiality, integrity, and availability of the WordPress installation, potentially exposing sensitive data or disabling essential security controls.

Affected Systems

The vulnerability affects the ChrisHurst Simple Backup plugin for WordPress, specifically version 2.7.11. No other affected versions are listed in the CNA data.

Risk and Exploitability

With a CVSS score of 8.7, this issue is considered high severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog, but the lack of authentication enforcement and the use of a publicly exposed PHP endpoint make exploitation likely in practice. An attacker can simply request the vulnerable URL with crafted parameters from any network location that can reach the WordPress site, making the risk immediate for unpatched deployments.

Generated by OpenCVE AI on June 16, 2026 at 02:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update or remove the Simple Backup plugin to a version that contains the fix, or uninstall it entirely if it is no longer needed.
  • Restrict access to the tools.php endpoint using web server access controls or the plugin’s internal settings so that only trusted users can trigger delete or download actions.
  • Sanitize and validate all input parameters to the delete_backup_file and download_backup_file actions, rejecting any value that contains directory traversal sequences such as '..' or absolute path separators.

Generated by OpenCVE AI on June 16, 2026 at 02:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description WordPress Simple-Backup 2.7.11 contains multiple vulnerabilities that allow unauthenticated attackers to delete arbitrary files and download sensitive files by manipulating the delete_backup_file and download_backup_file parameters in tools.php. Attackers can exploit insufficient input validation using directory traversal techniques to access wp-config.php, database dumps, and other sensitive files, or delete critical files .htaccess to expose backup directories.
Title WordPress Simple-Backup 2.7.11 Arbitrary File Deletion and Download
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-15T14:50:06.600Z

Reserved: 2026-06-15T11:43:52.998Z

Link: CVE-2016-20076

cve-icon Vulnrichment

Updated: 2026-06-15T14:50:00.704Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T14:16:30.940

Modified: 2026-06-15T20:50:47.973

Link: CVE-2016-20076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T02:45:16Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')