Description
WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Attackers can send POST requests to admin-ajax.php with crafted file_name and folder_name parameters to delete arbitrary files from the WordPress installation directory.
Published: 2026-05-16
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Plugin Backup and Restore version 1.0.3 contains an arbitrary file deletion flaw that allows authenticated attackers to delete any file within the WordPress installation directory by sending crafted POST requests to admin‑ajax.php. This vulnerability is a classic Directory Traversal (CWE‑22) issue; successful exploitation results in loss of site content, configuration files, or code that could enable further compromise. The degradation of data integrity could effectively bring the site offline if critical files are removed.

Affected Systems

The vulnerability affects WordPress users running the Miniorange Backup and Restore plugin at version 1.0.3. No other versions or vendor products are listed as impacted in the CNA data.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity risk. EPSS information is not available, so the current likelihood of exploitation cannot be quantified, but the flaw is listed as “not in KEV” which suggests it has not yet been publicly exploited. The attack vector appears to be remote via a web request, but requires the attacker to be authenticated and have access to the WordPress admin panel with the plugin activated. Under these conditions, the flaw can be weaponised quickly by a determined adversary.

Generated by OpenCVE AI on May 16, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Backup and Restore plugin to the latest version that removes the arbitrary file deletion flaw.
  • If upgrading is not possible, uninstall the plugin entirely to eliminate the vulnerability.
  • Block or restrict POST access to admin‑ajax.php for non‑administrative users.
  • Audit the file system for any unintended deletions and restore from backup if necessary.

Generated by OpenCVE AI on May 16, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Attackers can send POST requests to admin-ajax.php with crafted file_name and folder_name parameters to delete arbitrary files from the WordPress installation directory.
Title WordPress Plugin Backup and Restore 1.0.3 Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:26:19.167Z

Reserved: 2026-05-16T14:51:44.289Z

Link: CVE-2021-47979

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:23.490

Modified: 2026-05-16T16:16:23.490

Link: CVE-2021-47979

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T16:45:27Z

Weaknesses