Description
Unauthenticated Sensitive Data Exposure in Trinity Backup &#8211; Backup, Migrate, Restore, Clone &amp; Schedule Backups <= 2.0.9 versions.
Published: 2026-06-26
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Sensitive Data Exposure exists in the WordPress Trinity Backup plugin up to version 2.0.9. The vulnerability stems from a missing authentication check that allows anyone to request sensitive backup files or configuration data. If accessed, an attacker could read potentially confidential information such as database dumps, configuration files, or other data stored by the plugin, which could lead to further compromise of the site.

Affected Systems

Kingaddons Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups plugin for WordPress, versions 2.0.9 and earlier are impacted. The fix begins with version 2.0.10, which removes the unauthenticated access path.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. EPSS data is not available, so the likelihood of exploitation is uncertain, but the lack of an authentication barrier makes exploitation straightforward. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed active exploits yet. The likely attack vector is via direct HTTP requests to the plugin’s endpoints that serve backup content, and because the check is absent, any user on the network or the public internet could exploit it if the site is publicly reachable.

Generated by OpenCVE AI on June 26, 2026 at 16:47 UTC.

Remediation

Vendor Solution

Update the WordPress Trinity Backup &#8211; Backup, Migrate, Restore, Clone &amp; Schedule Backups Plugin to the latest available version (at least 2.0.10).

OpenCVE Recommended Actions

  • Update the Trinity Backup plugin to version 2.0.10 or newer, which removes the unauthenticated access bug.
  • If the plugin is not essential, uninstall or permanently disable it to eliminate the attack surface.
  • After updating, ensure that any previously exposed backup files or directories are cleaned up or have permissions restricted so that only authorized administrators can view them.

Generated by OpenCVE AI on June 26, 2026 at 16:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Sensitive Data Exposure in Trinity Backup &#8211; Backup, Migrate, Restore, Clone &amp; Schedule Backups <= 2.0.9 versions.
Title WordPress Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups plugin <= 2.0.9 - Sensitive Data Exposure vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T17:06:57.487Z

Reserved: 2026-06-16T09:21:57.269Z

Link: CVE-2026-54839

cve-icon Vulnrichment

Updated: 2026-06-26T17:04:42.628Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:00:04Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key