Description
The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.10 via the compression_level setting. This is due to the plugin using the compression_level setting in proc_open() without any validation. This makes it possible for authenticated attackers, with administrator-level access and above, to execute code on the server.
Published: 2025-03-26
Score: 7.2 High
EPSS: 1.6% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid accepts a user‑supplied compression_level value and passes it directly to PHP’s proc_open without validation, creating a command injection flaw identified as CWE‑78. An authenticated administrator can supply arbitrary shell commands through this parameter, enabling the attacker to execute code with the privileges of the web server process and potentially compromise the entire site.

Affected Systems

All releases of the plugin through version 1.16.10 are affected. The vulnerability targets the Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid, a WordPress plugin available on WordPress.org.

Risk and Exploitability

The CVSS base score of 7.2 indicates severe impact, while an EPSS score of 2 % suggests that exploitation is possible but not yet widespread. The flaw requires administrator privileges, so an attacker must obtain or compromise an admin account. Although the vulnerability is not yet listed in the CISA KEV catalog, its high potential impact makes it a priority for remediation.

Generated by OpenCVE AI on April 22, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Total Upkeep plugin to the latest release (version ≥ 1.16.11).
  • If an immediate upgrade is not feasible, modify the compression component so that the compression_level value is hard‑coded to a safe constant or disable the proc_open call entirely, thereby preventing arbitrary command execution.
  • Ensure that only trusted administrators have access to edit the plugin files and regularly audit administrator accounts for unauthorized changes.

Generated by OpenCVE AI on April 22, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8110 The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.10 via the compression_level setting. This is due to the plugin using the compression_level setting in proc_open() without any validation. This makes it possible for authenticated attackers, with administrator-level access and above, to execute code on the server.
History

Thu, 22 May 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Boldgrid
Boldgrid total Upkeep
CPEs cpe:2.3:a:boldgrid:total_upkeep:*:*:*:*:*:wordpress:*:*
Vendors & Products Boldgrid
Boldgrid total Upkeep

Wed, 26 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.10 via the compression_level setting. This is due to the plugin using the compression_level setting in proc_open() without any validation. This makes it possible for authenticated attackers, with administrator-level access and above, to execute code on the server.
Title Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid <= 1.16.10 - Authenticated (Admin+) Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Boldgrid Total Upkeep
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:40:53.250Z

Reserved: 2025-03-12T17:02:11.164Z

Link: CVE-2025-2257

cve-icon Vulnrichment

Updated: 2025-03-26T14:21:06.268Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-26T09:15:16.647

Modified: 2025-05-22T14:43:29.413

Link: CVE-2025-2257

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:45:22Z

Weaknesses