Description
The Bei Fen – WordPress Backup Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.2 via the 'task'. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. This only affects instances running PHP 7.1 or older.
Published: 2025-09-30
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion leading to code execution
Action: Update Plugin
AI Analysis

Impact

The Bei Fen – WordPress Backup Plugin is vulnerable to a Local File Inclusion (LFI) attack through the "task" parameter in all versions up to 1.4.2. Authenticated users with Subscriber level or higher can requested arbitrary .php files to be included and executed on the server, allowing the attacker to run arbitrary PHP code. This flaw can be used to bypass access controls, steal sensitive information, or compromise the entire site. The vulnerability is classified as CWE‑98 and only affects WordPress installations running PHP 7.1 or older.

Affected Systems

Affected systems are WordPress sites that have the Bei Fen – WordPress Backup Plugin version 1.4.2 or earlier installed. The publisher is d3rd4v1d. The issue is relevant for servers running PHP 7.1 or older, as newer PHP versions are not impacted by this flaw.

Risk and Exploitability

The severity of this vulnerability is high, with a CVSS score of 8.1, while the EPSS score is below 1%, indicating a low probability of exploitation at this time. It is not listed in the CISA KEV catalog. The attack vector requires that the attacker is an authenticated user with at least Subscriber‑level access and that a .php file is available for inclusion, either through upload or by other means. With those conditions, the attacker can execute arbitrary PHP code, potentially taking full control of the affected server.

Generated by OpenCVE AI on April 21, 2026 at 02:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bei Fen – WordPress Backup Plugin to the latest version that addresses the LFI flaw.
  • Upgrade the PHP runtime to version 7.2 or later to remove the affected PHP version range, or otherwise ensure the site does not use PHP 7.1 or older.
  • Restrict file upload permissions for Subscriber‑level users or enforce strict file type checks to prevent upload of .php files that could be included by the plugin.

Generated by OpenCVE AI on April 21, 2026 at 02:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31692 The Bei Fen – WordPress Backup Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.2 via the 'task'. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. This only affects instances running PHP 7.1 or older.
History

Tue, 30 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Sep 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared D3rd4v1d
D3rd4v1d bei Fen
Wordpress
Wordpress wordpress
Vendors & Products D3rd4v1d
D3rd4v1d bei Fen
Wordpress
Wordpress wordpress

Tue, 30 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Bei Fen – WordPress Backup Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.2 via the 'task'. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. This only affects instances running PHP 7.1 or older.
Title Bei Fen – WordPress Backup Plugin <= 1.4.2 - Authenticated (Subscriber+) Local File Inclusion
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

D3rd4v1d Bei Fen
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:10.697Z

Reserved: 2025-09-04T14:36:59.293Z

Link: CVE-2025-9993

cve-icon Vulnrichment

Updated: 2025-09-30T15:25:45.713Z

cve-icon NVD

Status : Deferred

Published: 2025-09-30T11:37:47.950

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9993

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:45:25Z

Weaknesses