Description
The Database Backup for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.5.2. This is due to the plugin not restricting access to the wp_db_temp_dir parameter, which controls where database backups are written. This makes it possible for unauthenticated attackers to send a request to wp-cron.php with a poisoned wp_db_temp_dir value pointing to a publicly accessible directory (e.g., wp-content/uploads/), and if a scheduled backup is due, intercept the backup file before it is cleaned up. The backup file has a predictable name based on the database name, table prefix, date, and Swatch Internet Time, making interception reliable. Successful exploitation leads to Sensitive Information Exposure including database credentials, user password hashes, and personally identifiable information. This vulnerability requires that the site administrator has configured scheduled backups.
Published: 2026-05-14
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Database Backup for WordPress plugin allows an attacker to bypass authorization controls because it does not restrict the wp_db_temp_dir parameter. This flaw permits an unauthenticated user to specify a publicly accessible directory for backups. When a scheduled backup occurs, the attacker can intercept the backup file before it is cleaned up. The backup file contains the database name, table prefix, date, and swatch time, giving it a predictable name, so interception is reliable. Successful exploitation reveals sensitive database credentials, user password hashes, and personally identifiable information.

Affected Systems

Any WordPress installation using the Database Backup for WordPress plugin version 2.5.2 or earlier is affected. The plugin vendor is wpengine under the product name 'Database Backup for WordPress'.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, and the vulnerability is not listed in the CISA KEV catalog. Because the exploit requires an attacker to target wp-cron.php and supply a manipulated wp_db_temp_dir value, the likely attack vector is web-based. The risk is elevated for sites that have scheduled backups configured and expose the temporary backup directory to the public.

Generated by OpenCVE AI on May 14, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Database Backup for WordPress plugin to a version newer than 2.5.2.
  • If an update is not feasible, disable scheduled backups or ensure the wp_db_temp_dir points to a non-public location.
  • Limit access to the wp_db_temp_dir by setting appropriate filesystem permissions so that only the server process can write to it, and remove publicly readable permissions.

Generated by OpenCVE AI on May 14, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description The Database Backup for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.5.2. This is due to the plugin not restricting access to the wp_db_temp_dir parameter, which controls where database backups are written. This makes it possible for unauthenticated attackers to send a request to wp-cron.php with a poisoned wp_db_temp_dir value pointing to a publicly accessible directory (e.g., wp-content/uploads/), and if a scheduled backup is due, intercept the backup file before it is cleaned up. The backup file has a predictable name based on the database name, table prefix, date, and Swatch Internet Time, making interception reliable. Successful exploitation leads to Sensitive Information Exposure including database credentials, user password hashes, and personally identifiable information. This vulnerability requires that the site administrator has configured scheduled backups.
Title Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Database Backup Interception
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T12:32:02.352Z

Reserved: 2026-03-12T00:34:09.270Z

Link: CVE-2026-4031

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-14T13:16:20.907

Modified: 2026-05-14T14:28:41.283

Link: CVE-2026-4031

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:45:22Z

Weaknesses