Description
Missing Authorization vulnerability in Tim Nguyen 1-Click Backup & Restore Database 1-click-backup-restore-database-by-sunbytes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 1-Click Backup & Restore Database: from n/a through <= 1.0.3.
Published: 2025-04-04
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization allows an attacker without proper permissions to perform backup and restore actions on a WordPress site. The plugin exposes endpoints that can be accessed when logged in, but role checks are ineffective, enabling retrieval of full database backups that reveal credentials, user data and configuration. This flaw represents a classic access‑control failure, identified as CWE-862.

Affected Systems

The vulnerability affects the WordPress plugin 1-Click Backup & Restore Database by Tim Nguyen, distributed under the Sunbytes name. All releases through 1.0.3 are impacted. Sites that still host this plugin and permit broad administrator access are at risk.

Risk and Exploitability

The CVSS score of 5.4 demonstrates moderate severity, while the EPSS score of <1% indicates a very low exploitation probability. The issue is not listed in the CISA KEV catalog. An attacker could exploit it remotely by sending crafted HTTP requests to the plugin’s backup endpoints, provided that authentication or privilege checks cannot be enforced. Because the functionality is publicly reachable within a WordPress installation, an active user or even a low‑privileged site visitor may be able to trigger the vulnerability.

Generated by OpenCVE AI on May 1, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a patched version that fixes the access‑control flaw, preferably the latest release from the developer.
  • Verify that backup and restore actions are only accessible to administrator roles; enforce role checks on the plugin's endpoints.
  • If a patch is not yet available, block or restrict access to the backup URLs using server‑level URL restrictions (e.g., .htaccess rules or a firewall) and disable the feature until the issue is resolved.

Generated by OpenCVE AI on May 1, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9794 Missing Authorization vulnerability in Tim Nguyen 1-Click Backup &amp; Restore Database allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects 1-Click Backup &amp; Restore Database: from n/a through 1.0.3.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Tim Nguyen 1-Click Backup &amp; Restore Database 1-click-backup-restore-database-by-sunbytes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 1-Click Backup &amp; Restore Database: from n/a through <= 1.0.3. Missing Authorization vulnerability in Tim Nguyen 1-Click Backup & Restore Database 1-click-backup-restore-database-by-sunbytes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 1-Click Backup & Restore Database: from n/a through <= 1.0.3.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Tim Nguyen 1-Click Backup &amp; Restore Database allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects 1-Click Backup &amp; Restore Database: from n/a through 1.0.3. Missing Authorization vulnerability in Tim Nguyen 1-Click Backup &amp; Restore Database 1-click-backup-restore-database-by-sunbytes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 1-Click Backup &amp; Restore Database: from n/a through <= 1.0.3.
Title WordPress 1-Click Backup & Restore Database <= 1.0.3 - Broken Access Control Vulnerability WordPress 1-Click Backup & Restore Database plugin <= 1.0.3 - Broken Access Control Vulnerability
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Fri, 04 Apr 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Tim Nguyen 1-Click Backup &amp; Restore Database allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects 1-Click Backup &amp; Restore Database: from n/a through 1.0.3.
Title WordPress 1-Click Backup & Restore Database <= 1.0.3 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:19.771Z

Reserved: 2025-04-04T10:02:07.011Z

Link: CVE-2025-32246

cve-icon Vulnrichment

Updated: 2025-04-04T19:38:00.832Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:33.673

Modified: 2026-04-28T19:31:33.733

Link: CVE-2025-32246

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T00:30:04Z

Weaknesses