The WordPress SQL Backup plugin (Anthony:WordPress SQL Backup) has a Cross‑Site Request Forgery flaw that can lead to Stored Cross‑Site Scripting. An attacker tricks a user into visiting a crafted page that triggers the vulnerable plugin to execute arbitrary script or alter backup configurations without the user’s explicit approval. This flaw effectively allows the attacker to run client‑side code in the context of an authenticated WordPress session, potentially disclosing sensitive data or modifying site content.

WordPress SQL Backup plugins from all released versions through 3.5.2 are affected; the vulnerability applies to every installation of the plugin that has not been updated beyond version 3.5.2.

The CVSS base score of 7.1 places this flaw in the High category, while the very low EPSS (<1%) indicates that exploitation has not been widely observed. It is not listed in CISA’s KEV catalog. The attack requires a victim user who is authenticated and within the scope of the plugin’s privileged operations, so the exploitability depends on the target’s user role. Because the flaw hinges on CSRF, a malicious web page could force an approved user to trigger the vulnerable endpoint; however, without prior authentication, the attacker cannot carry out the action.