Description
The pCloud WP Backup plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.3 via the wp2pcl_ajax_process_request_inner. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract force generation of a full-site backup archive written to a publicly accessible directory, exposing wp-config.php database credentials, WordPress secret salts, and the complete PHP source tree. The resulting archive is deposited in the plugin's unprotected tmp/ directory at a predictable URL, making the extracted data accessible to unauthenticated visitors once the backup is triggered.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Fri, 17 Jul 2026 06:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Ploudapp
Ploudapp pcloud Wp Backup Wordpress Wordpress wordpress |
|
| Vendors & Products |
Ploudapp
Ploudapp pcloud Wp Backup Wordpress Wordpress wordpress |
Fri, 17 Jul 2026 05:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The pCloud WP Backup plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.3 via the wp2pcl_ajax_process_request_inner. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract force generation of a full-site backup archive written to a publicly accessible directory, exposing wp-config.php database credentials, WordPress secret salts, and the complete PHP source tree. The resulting archive is deposited in the plugin's unprotected tmp/ directory at a predictable URL, making the extracted data accessible to unauthenticated visitors once the backup is triggered. | |
| Title | pCloud WP Backup <= 2.0.3 - Missing Authorization on the 'start_backup' AJAX Method to Authenticated (Subscriber+) Arbitrary File Read | |
| Weaknesses | CWE-200 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-17T03:43:41.024Z
Reserved: 2026-07-02T18:06:48.735Z
Link: CVE-2026-14503
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T06:30:11Z
Weaknesses
-
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor