{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2019-25224", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-24T14:06:18.352Z", "datePublished": "2025-07-25T02:23:58.569Z", "dateUpdated": "2026-04-08T17:25:16.491Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:16.491Z"}, "affected": [{"vendor": "databasebackup", "product": "WP Database Backup \u2013 Unlimited Database & Files Backup by Backup for WP", "versions": [{"version": "0", "status": "affected", "lessThan": "5.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system."}], "title": "WP Database Backup < 5.2 - Unauthenticated OS Command Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d21cf285-9d75-43a2-9e81-67116f0bf896?source=cve"}, {"url": "https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/"}, {"url": "https://plugins.trac.wordpress.org/changeset/2078035/wp-database-backup"}, {"url": "https://blog.sucuri.net/2019/06/os-command-injection-in-wp-database-backup.html"}, {"url": "https://packetstormsecurity.com/files/153781/"}, {"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/wp_db_backup_rce.rb"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "cweId": "CWE-78", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "timeline": [{"time": "2019-04-24T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-25T17:10:45.434794Z", "id": "CVE-2019-25224", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-25T17:12:05.066Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-25224", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-25T17:10:45.434794Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-25T17:11:54.295Z"}}], "cna": {"title": "WP Database Backup < 5.2 - Unauthenticated OS Command Injection", "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "databasebackup", "product": "WP Database Backup \u2013 Unlimited Database & Files Backup by Backup for WP", "versions": [{"status": "affected", "version": "0", "lessThan": "5.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2019-04-24T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d21cf285-9d75-43a2-9e81-67116f0bf896?source=cve"}, {"url": "https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/"}, {"url": "https://plugins.trac.wordpress.org/changeset/2078035/wp-database-backup"}, {"url": "https://blog.sucuri.net/2019/06/os-command-injection-in-wp-database-backup.html"}, {"url": "https://packetstormsecurity.com/files/153781/"}, {"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/wp_db_backup_rce.rb"}], "descriptions": [{"lang": "en", "value": "The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:16.491Z"}}}, "cveMetadata": {"cveId": "CVE-2019-25224", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:25:16.491Z", "dateReserved": "2025-07-24T14:06:18.352Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-25T02:23:58.569Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"affected": [{"affectedData": [{"defaultStatus": "unaffected", "product": "WP Database Backup \u2013 Unlimited Database & Files Backup by Backup for WP", "vendor": "databasebackup", "versions": [{"lessThan": "5.2", "status": "affected", "version": "0", "versionType": "semver"}]}], "source": "security@wordfence.com"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wpseeds:wp_database_backup:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "10FA7230-2BD1-4BDE-9471-AE60C71299D1", "versionEndExcluding": "5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system."}, {"lang": "es", "value": "El complemento WP Database Backup para WordPress es vulnerable a la inyecci\u00f3n de comandos del sistema operativo en versiones anteriores a la 5.2 mediante la funci\u00f3n mysqldump. Esta vulnerabilidad permite a atacantes no autenticados ejecutar comandos arbitrarios en el sistema operativo host."}], "id": "CVE-2019-25224", "lastModified": "2026-06-17T02:31:47.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2019-25224", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "total"}], "role": "CISA Coordinator", "timestamp": "2025-07-25T17:10:45.434794Z", "version": "2.0.3"}}]}, "published": "2025-07-25T03:15:32.690", "references": [{"source": "security@wordfence.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.sucuri.net/2019/06/os-command-injection-in-wp-database-backup.html"}, {"source": "security@wordfence.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://packetstormsecurity.com/files/153781/"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/2078035/wp-database-backup"}, {"source": "security@wordfence.com", "tags": ["Exploit"], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/wp_db_backup_rce.rb"}, {"source": "security@wordfence.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d21cf285-9d75-43a2-9e81-67116f0bf896?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{}