Description
The WPRecovery plugin for WordPress is vulnerable to SQL Injection via the 'data[id]' parameter in all versions up to, and including, 2.0. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the result of this SQL injection is passed directly to PHP's unlink() function, allowing attackers to delete arbitrary files on the server by injecting file paths through the SQL query.
Published: 2025-10-03
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Deletion and Data Disclosure
Action: Patch Immediately
AI Analysis

Impact

The WPRecovery WordPress plugin is vulnerable to an unauthenticated SQL injection through the data[id] parameter in all releases up to version 2.0. An attacker can append malicious SQL fragments to the query, allowing extraction of sensitive database content. The result of that injection is then passed directly to PHP’s unlink() function, which permits the attacker to delete arbitrary files on the server. The combination of data exfiltration and file deletion represents a significant loss of confidentiality and integrity.

Affected Systems

All installations of the quantumrose WPRecovery plugin, version 2.0 and earlier, are affected. Those deploying older releases of the plugin for WordPress fall under the scope of this vulnerability.

Risk and Exploitability

The CVSS base score of 9.1 highlights the severity, while the EPSS score of < 1% indicates that exploitation probability remains low but non‑zero. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw by sending an unauthenticated HTTP request containing crafted data[id] input; no prior authentication or privileged access is necessary. The attack surface is thus wide, making the risk primarily driven by the high impact rather than widespread exploitation.

Generated by OpenCVE AI on April 22, 2026 at 22:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WPRecovery to a version newer than 2.0 where the injection flaw is fixed
  • If an immediate update is not feasible, uninstall or disable the plugin entirely to eliminate the attack vector
  • Configure a web application firewall or modify the site’s scripts to block or restrict access to delete_backup.php and filter out malicious SQL patterns in the data[id] parameter

Generated by OpenCVE AI on April 22, 2026 at 22:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32285 The WPRecovery plugin for WordPress is vulnerable to SQL Injection via the 'data[id]' parameter in all versions up to, and including, 2.0. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the result of this SQL injection is passed directly to PHP's unlink() function, allowing attackers to delete arbitrary files on the server by injecting file paths through the SQL query.
History

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 03 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Oct 2025 11:30:00 +0000

Type Values Removed Values Added
Description The WPRecovery plugin for WordPress is vulnerable to SQL Injection via the 'data[id]' parameter in all versions up to, and including, 2.0. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the result of this SQL injection is passed directly to PHP's unlink() function, allowing attackers to delete arbitrary files on the server by injecting file paths through the SQL query.
Title WPRecovery <= 2.0 - Unauthenticated SQL Injection to Arbitrary File Deletion
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:58.090Z

Reserved: 2025-09-19T13:55:25.247Z

Link: CVE-2025-10726

cve-icon Vulnrichment

Updated: 2025-10-03T17:54:18.122Z

cve-icon NVD

Status : Deferred

Published: 2025-10-03T12:15:43.417

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10726

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:15:26Z

Weaknesses