The Database Backup for WordPress plugin contains a flaw that allows an unauthenticated attacker to read and delete any file on the server. The issue arises because the plugin does not correctly honor the result of its authorization check and the backup directory can be controlled by the user. An attacker can therefore specify a victim file in the backup path, trigger the backup routine, and obtain its contents or remove it entirely. This can lead to sensitive information exposure and, in a multisite configuration, the potential for full site compromise because the vulnerability only exists where the deprecated is_site_admin() function is present.

The flaw affects all installations of the Database Backup for WordPress plugin up to and including version 2.5.2 used on WordPress Multisite sites. Only multisite environments that still include the old is_site_admin() function are vulnerable. Any tenant administrator is required, but the check is bypassed, so the vulnerability is available to anyone who can send an HTTP request to the site. Regular single‑site WordPress installations are not impacted.

With a CVSS score of 8.1 the vulnerability is classified as high severity. The EPSS value is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of a credential requirement and the ability to target any multisite WordPress site that has the deprecated function increases the attack surface. Because the exploit is data‑driven and does not require complex configuration, an automated attacker could easily manipulate the backup directory parameter to read or delete arbitrary files. If the site is running in a legacy multisite with is_site_admin() present, the exploit is likely to succeed, making the risk upper‑middle range.