Description
The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the showdata and initiate_restore parameters in all versions up to, and including, 1.24.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an admin user into performing an action such as clicking on a link.
Published: 2025-01-15
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected Cross‑Site Scripting flaw caused by insufficient input sanitization and output escaping in the showdata and initiate_restore parameters of the UpdraftPlus plugin. An attacker can craft a malicious URL that includes arbitrary JavaScript, which will be re‑inserted into the page when an administrator clicks the link. The injected script runs with the privileges of the logged‑in admin, potentially allowing the attacker to manipulate the page or perform actions while the admin is logged in.

Affected Systems

Vulnerable versions are all releases of UpdraftPlus WP Backup & Migration Plugin up to and including 1.24.12, as provided by the vendor David Anderson. Any WordPress site that has installed or is currently running any of these affected releases is at risk.

Risk and Exploitability

The CVSS score of 6.1 reflects a moderate risk, and an EPSS score of <1% indicates a low probability of widespread exploitation at this time. The issue is not listed in CISA's KEV catalog. Exploitation requires only that an admin user visits a specially crafted link; no authentication is needed and the attack vector is primarily social engineering. Because the injected code runs in the administrator's session, the consequences can be significant for confidentiality and integrity while the admin is logged in.

Generated by OpenCVE AI on June 18, 2026 at 03:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade UpdraftPlus to the latest available version, which addresses the reflected XSS flaw.
  • If an upgrade cannot be performed immediately, block requests containing the showdata or initiate_restore parameters by configuring a web application firewall or by adding URL filtering rules to the server configuration.
  • Apply additional input validation or output escaping in any custom code that interacts with UpdraftPlus to prevent unescaped data from being rendered in the admin interface.
  • Monitor administrator activity for unexpected script execution and review server logs for suspicious query strings containing the vulnerable parameters.

Generated by OpenCVE AI on June 18, 2026 at 03:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1552 The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the showdata and initiate_restore parameters in all versions up to, and including, 1.24.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an admin user into performing an action such as clicking on a link.
History

Thu, 16 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Jan 2025 22:30:00 +0000

Type Values Removed Values Added
Description The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the showdata and initiate_restore parameters in all versions up to, and including, 1.24.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an admin user into performing an action such as clicking on a link.
Title UpdraftPlus - Backup/Restore <= 1.24.12 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:33.397Z

Reserved: 2025-01-03T19:31:41.889Z

Link: CVE-2025-0215

cve-icon Vulnrichment

Updated: 2025-01-16T18:43:21.869Z

cve-icon NVD

Status : Deferred

Published: 2025-01-15T23:15:10.453

Modified: 2026-06-17T08:26:05.930

Link: CVE-2025-0215

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T03:15:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')