Description
The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion.
Published: 2026-04-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Backup Upload & Resource Exhaustion
Action: Apply Patch
AI Analysis

Impact

The Backup Migration plugin for WordPress suffers from a missing capability verification and no nonce protection on its initializeOfflineAjax function, exposing hard‑coded tokens in the plugin’s JavaScript. Because of this, any unauthenticated user can invoke the AJAX endpoint that triggers the backup upload queue. The consequence is that backups may be transferred to the attacker‑specified cloud storage destination without authorization, and repeated invocations can exhaust server resources. This flaw is a classic Missing Authorization vulnerability (CWE‑862).

Affected Systems

The vulnerability affects all releases of the WordPress plugin named inisev:BackupBliss – Backup & Migration with Free Cloud Storage, commonly known as the Backup Migration plugin, up to and including version 2.0.0. WordPress sites that have this plugin installed and have not applied the newer 2.1.0 update are impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, and the lack of EPSS data makes it unclear how frequently the flaw will be exploited. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it remotely by sending unauthenticated HTTP requests to the plugin’s AJAX endpoint without any proof‑of‑concept documentation, allowing unauthorized backup uploads and potential resource exhaustion. The risk is moderate but remediation should be considered a priority to prevent data leakage and performance degradation.

Generated by OpenCVE AI on April 7, 2026 at 22:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Backup Migration plugin to version 2.1.0 or later, which removes the missing authorization check and implements proper nonce validation.
  • After upgrading, verify that the plugin’s AJAX endpoints enforce the correct user capability and that nonce checks are active.
  • If upgrading immediately is not possible, block or restrict the offline backup upload feature or the related AJAX URL using web‑server access controls or a firewall rule.
  • Continuously monitor the site for any unexpected backup activity and confirm that no unauthorized data is being transferred to cloud storage.

Generated by OpenCVE AI on April 7, 2026 at 22:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Inisev
Inisev backupbliss – Backup & Migration With Free Cloud Storage
Wordpress
Wordpress wordpress
Vendors & Products Inisev
Inisev backupbliss – Backup & Migration With Free Cloud Storage
Wordpress
Wordpress wordpress

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion.
Title Backup Migration <= 2.0.0 - Missing Authorization to Unauthenticated Backup Upload to Offline Storage
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Inisev Backupbliss – Backup & Migration With Free Cloud Storage
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:41.782Z

Reserved: 2025-12-19T00:55:56.950Z

Link: CVE-2025-14944

cve-icon Vulnrichment

Updated: 2026-04-07T18:28:52.218Z

cve-icon NVD

Status : Deferred

Published: 2026-04-07T17:16:25.927

Modified: 2026-04-27T19:04:22.650

Link: CVE-2025-14944

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:47:56Z

Weaknesses