Description
WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Attackers can send POST requests to admin-ajax.php with crafted file_name and folder_name parameters to delete arbitrary files from the WordPress installation directory.
Published: 2026-05-16
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Plugin Backup and Restore version 1.0.3 contains an arbitrary file deletion flaw that allows authenticated attackers to delete any file within the WordPress installation directory by sending crafted POST requests to admin‑ajax.php. This vulnerability is a classic Directory Traversal (CWE‑22) issue; successful exploitation results in loss of site content, configuration files, or code that could enable further compromise. The degradation of data integrity could effectively bring the site offline if critical files are removed.

Affected Systems

The vulnerability affects WordPress users running the Miniorange Backup and Restore plugin at version 1.0.3. No other versions or vendor products are listed as impacted in the CNA data.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity risk. EPSS information is not available, so the current likelihood of exploitation cannot be quantified, but the flaw is listed as “not in KEV” which suggests it has not yet been publicly exploited. The attack vector appears to be remote via a web request, but requires the attacker to be authenticated and have access to the WordPress admin panel with the plugin activated. Under these conditions, the flaw can be weaponised quickly by a determined adversary.

Generated by OpenCVE AI on May 16, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Backup and Restore plugin to the latest version that removes the arbitrary file deletion flaw.
  • If upgrading is not possible, uninstall the plugin entirely to eliminate the vulnerability.
  • Block or restrict POST access to admin‑ajax.php for non‑administrative users.
  • Audit the file system for any unintended deletions and restore from backup if necessary.

Generated by OpenCVE AI on May 16, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Miniorange
Miniorange backup And Restore
Wordpress
Wordpress wordpress
Vendors & Products Miniorange
Miniorange backup And Restore
Wordpress
Wordpress wordpress

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Attackers can send POST requests to admin-ajax.php with crafted file_name and folder_name parameters to delete arbitrary files from the WordPress installation directory.
Title WordPress Plugin Backup and Restore 1.0.3 Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Miniorange Backup And Restore
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-18T12:39:23.739Z

Reserved: 2026-05-16T14:51:44.289Z

Link: CVE-2021-47979

cve-icon Vulnrichment

Updated: 2026-05-18T12:39:20.441Z

cve-icon NVD

Status : Deferred

Published: 2026-05-16T16:16:23.490

Modified: 2026-05-18T17:05:46.240

Link: CVE-2021-47979

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T17:00:33Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')