Impact
Unauthenticated Cross Site Request Forgery (CSRF) exists in the pCloud WP Backup plugin for WordPress versions 2.0.2 and older. The flaw allows an attacker to send a crafted web request that the plugin processes as a legitimate action, thereby enabling an attacker to trigger backup or configuration operations without requiring the user to be logged in or to provide any authentication credentials. This type of weakness, identified as CWE-352, can lead to unauthorized data manipulation, unintended backup creation or deletion, and potentially the exposure of site content to the attacker.
Affected Systems
WordPress sites that use the pCloud WP Backup plugin provided by ploudapp, specifically each installation running version 2.0.2 or earlier.
Risk and Exploitability
The vulnerability receives a CVSS score of 7.1, reflecting a moderate-to-high risk level. The EPSS score is not available, and the issue is not yet listed in the CISA KEV catalog, suggesting it has not been observed in widespread exploitation yet. The likely attack vector is through a malicious link or embedded payload that an attacker can direct a victim to, which then sends an unauthorized request to the plugin’s administrative endpoint, exploiting the lack of proper CSRF protection. If an attacker can achieve this, they can perform backup-related actions with the privileges of the site’s administrator, potentially leading to data loss or leakage.
OpenCVE Enrichment