Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in revmakx Backup and Staging by WP Time Capsule wp-time-capsule allows Password Recovery Exploitation.This issue affects Backup and Staging by WP Time Capsule: from n/a through <= 1.22.25.
Published: 2026-05-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in revmakx Backup and Staging by WP Time Capsule allows an attacker to bypass authentication by exploiting the password recovery mechanism. The bug permits an unauthenticated user to trigger the password recovery workflow and obtain elevated access, effectively compromising account integrity. The weakness is identified as CWE-288 (Authenticated Access to Sensitive Resource Without Authorization).

Affected Systems

The affected product is the WP Time Capsule plugin for WordPress by revmakx, versions 1.22.25 and older. The issue applies to all website instances using these plugin versions that have the password recovery feature enabled.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, reflecting a high severity level. There is no EPSS score available, so current exploitation probability cannot be quantified; however, the flaw is publicly documented and could be leveraged remotely via the web interface. It is not listed in CISA's KEV catalog, but its impact on authentication undermines trust and could lead to privilege escalation. Attackers would likely need only a valid email address registered on the site or guessable user information to initiate the password recovery flow, and then exploit the server’s lack of proper verification to obtain administrative access.

Generated by OpenCVE AI on May 27, 2026 at 11:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Time Capsule to the latest version (1.22.26 or later) where the authentication flaw has been fixed.
  • If an update is not immediately feasible, temporarily disable or block the password recovery endpoint on the website to prevent unauthorized use.
  • After updating or blocking, review user accounts for any suspicious changes and enforce strong, unique passwords for all administrators.
  • Monitor site logs for repeated password recovery requests or other anomalous activity.

Generated by OpenCVE AI on May 27, 2026 at 11:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Revmakx
Revmakx backup And Staging By Wp Time Capsule
Wordpress
Wordpress wordpress
Vendors & Products Revmakx
Revmakx backup And Staging By Wp Time Capsule
Wordpress
Wordpress wordpress

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in revmakx Backup and Staging by WP Time Capsule wp-time-capsule allows Password Recovery Exploitation.This issue affects Backup and Staging by WP Time Capsule: from n/a through <= 1.22.25.
Title WordPress Backup and Staging by WP Time Capsule plugin <= 1.22.25 - Broken Authentication vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Revmakx Backup And Staging By Wp Time Capsule
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:47:45.332Z

Reserved: 2026-04-29T09:05:44.122Z

Link: CVE-2026-42760

cve-icon Vulnrichment

Updated: 2026-05-27T10:47:38.639Z

cve-icon NVD

Status : Received

Published: 2026-05-27T11:16:22.650

Modified: 2026-05-27T11:16:22.650

Link: CVE-2026-42760

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T11:45:15Z

Weaknesses