Description
The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to include arbitrary PHP files on the server via crafted traversal sequences (e.g., `....//`), which can be leveraged to read sensitive files such as `wp-config.php` or achieve remote code execution in certain configurations. Administrators have the ability to grant individual users permission to handle backups, which may then allow lower-level users to exploit this vulnerability.
Published: 2026-04-14
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion leading to potential remote code execution
Action: Immediate Patch
AI Analysis

Impact

The BackWPup WordPress plugin contains a Local File Inclusion flaw in the block_name parameter of the /wp-json/backwpup/v1/getblock REST endpoint. Because the plugin only performs a non‑recursive replacement of path traversal sequences, an attacker can craft a request such as ....// to reference arbitrary files on the server. With sufficient privilege the attacker can read sensitive configuration files or, for certain PHP configurations, execute code, compromising the entire WordPress site. This weakness aligns with CWE‑22, which focuses on path traversal leading to local file inclusion.

Affected Systems

All installations of the BackWPup WordPress Backup & Restore Plugin with versions 5.6.6 and earlier are affected. Administrators and any users granted backup‑handling privileges can trigger the vulnerability, allowing lower‑privilege users to craft malicious block_name values. Versions after 5.6.6 and other WordPress plugins are not impacted.

Risk and Exploitability

This vulnerability has a CVSS score of 7.2, indicating moderate to high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is internal: an authenticated attacker with administrator or backup‑handling rights can send a crafted request to the vulnerable REST endpoint and induce the server to include an arbitrary local file. Because the traversal sequences are not fully sanitized, the exploitation surface is relatively large and could lead to remote code execution if the server runs the included file. No publicly documented exploits are known, but the lack of full sanitization makes the flaw plausible for compromise.

Generated by OpenCVE AI on April 14, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BackWPup to version 5.6.7 or later.
  • If upgrading is delayed, disable or remove the /wp-json/backwpup/v1/getblock REST endpoint or restrict it to trusted IPs.
  • Apply least‑privilege principles by limiting users with backup handling permission to only those who truly need it.
  • Audit user roles and remove unnecessary backup rights.
  • Monitor REST API logs for suspicious block_name parameters.

Generated by OpenCVE AI on April 14, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Media
Wp Media backwpup – Wordpress Backup & Restore Plugin
Vendors & Products Wordpress
Wordpress wordpress
Wp Media
Wp Media backwpup – Wordpress Backup & Restore Plugin

Tue, 14 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to include arbitrary PHP files on the server via crafted traversal sequences (e.g., `....//`), which can be leveraged to read sensitive files such as `wp-config.php` or achieve remote code execution in certain configurations. Administrators have the ability to grant individual users permission to handle backups, which may then allow lower-level users to exploit this vulnerability.
Title BackWPup <= 5.6.6 - Authenticated (Administrator+) Local File Inclusion via 'block_name' Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wp Media Backwpup – Wordpress Backup & Restore Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-14T13:03:30.768Z

Reserved: 2026-04-13T14:12:51.165Z

Link: CVE-2026-6227

cve-icon Vulnrichment

Updated: 2026-04-14T13:03:04.615Z

cve-icon NVD

Status : Deferred

Published: 2026-04-14T03:16:08.887

Modified: 2026-04-22T20:23:16.350

Link: CVE-2026-6227

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:59Z

Weaknesses