The vulnerability arises from a missing capability check in the process_status_unlink() method of the Everest Backup plugin, allowing an unauthenticated user to invoke this function and delete the files that track the progress of an ongoing backup. When these files are removed, the backup operation terminates unexpectedly, resulting in a loss of data protection because the backup is never completed and no valid snapshot is produced. This primarily impacts the availability of the backup service for the affected WordPress site.

All installations of the Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin with versions 2.3.8 and earlier are affected. Site administrators should verify the plugin version and ensure it is not within the vulnerable range.

The CVSS score of 5.3 indicates a medium severity that mainly threatens availability. The EPSS score is less than 1%, showing that the likelihood of exploitation is currently very low, and the vulnerability is not listed in the CISA KEV catalog, implying no publicly known exploits. Because the function lacks an authentication requirement, an attacker can trigger the deletion from any remote source, such as the WordPress REST API or plugin settings pages, without needing administrative credentials. This makes the attack vector horizontal and executable by unauthenticated users.