Description
Cross-Site Request Forgery (CSRF) vulnerability in swedish boy Background Control background-control allows Path Traversal.This issue affects Background Control: from n/a through <= 1.0.5.
Published: 2025-01-15
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Background Control plugin for WordPress accepts a CSRF‑enabled request that manipulates a file path parameter, allowing an attacker to delete arbitrary files on the web host. The flaw is a classic Cross‑Site Request Forgery (CWE‑352) combined with insufficient path validation. An attacker could persuade an authenticated administrator or user to visit a crafted URL, resulting in removal of critical files, potential loss of site content, or even complete site takeover if core files are deleted.

Affected Systems

Vendors: Swedish Boy; Product: Background Control plugin for WordPress. All versions from the initial release up through 1.0.5 are affected. The vulnerability was present in every prior release, thus any WordPress site that has not upgraded beyond 1.0.5 is at risk.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, but the EPSS score of less than 1% means the attack likelihood is currently very low. It is not listed in the CISA KEV catalog, suggesting no widely reported exploitation. The likely attack vector is a remote web request; an adversary only needs to lure a privileged user to click a malicious link. Once the file deletion endpoint is hit, no further exploitation is required, making the impact straightforward but potentially devastating if core files are removed.

Generated by OpenCVE AI on May 2, 2026 at 06:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch by upgrading Background Control to version 1.0.6 or newer.
  • Remove the Background Control plugin if an upgrade cannot be performed.
  • Configure WordPress and the server to prevent arbitrary file deletion, such as disabling the deleteFile action via the plugin or hardening file permissions.
  • Implement a web application firewall rule to block CSRF attempts targeting the plugin’s file deletion endpoint.

Generated by OpenCVE AI on May 2, 2026 at 06:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2993 Cross-Site Request Forgery (CSRF) vulnerability in Johan Ström Background Control allows Path Traversal.This issue affects Background Control: from n/a through 1.0.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Johan Ström Background Control allows Path Traversal.This issue affects Background Control: from n/a through 1.0.5. Cross-Site Request Forgery (CSRF) vulnerability in swedish boy Background Control background-control allows Path Traversal.This issue affects Background Control: from n/a through <= 1.0.5.
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Wed, 15 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Johan Ström Background Control allows Path Traversal.This issue affects Background Control: from n/a through 1.0.5.
Title WordPress Background Control plugin <= 1.0.5 - CSRF to Arbitrary File Deletion vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:07.167Z

Reserved: 2025-01-07T21:05:06.989Z

Link: CVE-2025-22784

cve-icon Vulnrichment

Updated: 2025-01-15T19:21:28.459Z

cve-icon NVD

Status : Deferred

Published: 2025-01-15T16:15:41.127

Modified: 2026-06-17T08:50:02.833

Link: CVE-2025-22784

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:45:36Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)