VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 11 known issues Latest disclosed Apr 13, 2026

BackWPup – WordPress Backup & Restore Plugin Vulnerabilities

Review known vulnerability records for the WordPress plugin BackWPup – WordPress Backup & Restore Plugin (`backwpup`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-6227, CVE-2025-15041 and CVE-2025-10579, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
11
High or Critical
7
Patch Coverage
100%
Last Updated
Apr 13, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for BackWPup – WordPress Backup & Restore Plugin so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
11 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
1 critical and 6 high severity findings.
Recent CVEs
CVE-2026-6227, CVE-2025-15041 and CVE-2025-10579
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for BackWPup – WordPress Backup & Restore Plugin

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-6227
BackWPup <= 5.6.6 - Authenticated (Administrator+) Local File Inclusion via 'block_name' Parameter

The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal sequences....

Published
Apr 13, 2026
Patched Release
5.6.7
Affected Versions
Versions up to 5.6.6
Next Step
Update to 5.6.7 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-15041
BackWPup 5.0.0 - 5.6.2 - Authenticated (BackWPup Helper+) Privilege Escalation via Arbitrary Options Update

The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions 5.0.0 to 5.6.2. This makes it possib...

Published
Feb 18, 2026
Patched Release
5.6.3
Affected Versions
5.0.0 through 5.6.2
Next Step
Update to 5.6.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-10579
BackWPup 5 - 5.5.0 - Missing Authorization to Sensitive Information Exposure

The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'backwpup_working' AJAX action in versions 5 through 5.5.0. This makes it possible for authenticated attackers, with Subscri...

Published
Oct 24, 2025
Patched Release
5.5.1
Affected Versions
5 through 5.5.0
Next Step
Update to 5.5.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-5505
BackWPup <= 4.0.1 - Authenticated (Administrator+) Directory Traversal

The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the job-specific backup folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server...

Published
Aug 16, 2024
Patched Release
4.0.2
Affected Versions
Versions up to 4.0.1
Next Step
Update to 4.0.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Low Patched: Yes CVE-2023-5775
BackWPup <= 4.0.2 - Plaintext Storage of Backup Destination Password

The BackWPup plugin for WordPress is vulnerable to Plaintext Storage of Backup Destination Password in all versions up to, and including, 4.0.2. This is due to to the plugin improperly storing backup destination passwords in plaintext. This makes it possible for authenticated att...

Published
Feb 23, 2024
Patched Release
4.0.3
Affected Versions
Versions up to 4.0.2
Next Step
Update to 4.0.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2023-7164
BackWPup <= 4.0.3 - Sensitive Information Exposure

The BackWPup – WordPress Backup Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.3. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

Published
Dec 18, 2023
Patched Release
4.0.4
Affected Versions
Versions up to 4.0.3
Next Step
Update to 4.0.4 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2023-5504
BackWPup <= 4.0.1 - Authenticated (Administrator+) Directory Traversal

The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the Log File Folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server. Additiona...

Published
Nov 22, 2023
Patched Release
4.0.2
Affected Versions
Versions up to 4.0.1
Next Step
Update to 4.0.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2017-2551
BackWPup <= 3.4.1 - Unauthenticated Backup Download

Vulnerability in Wordpress plugin BackWPup before v3.4.2 allows possible brute forcing of backup file for download.

Published
Sep 08, 2017
Patched Release
3.4.2
Affected Versions
Versions before 3.4.2
Next Step
Update to 3.4.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2013-4626
BackWPup < 3.0.13 - Cross-Site Scripting

Cross-site scripting (XSS) vulnerability in the BackWPup plugin before 3.0.13 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab parameter to wp-admin/admin.php.

Published
Aug 21, 2013
Patched Release
3.0.13
Affected Versions
Versions before 3.0.13
Next Step
Update to 3.0.13 or newer if supported.
Open Full Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2011-4342
BackWPup <= 1.7.1 - Remote File Inclusion

PHP remote file inclusion vulnerability in wp_xml_export.php in the BackWPup plugin before 1.7.2 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the wpabs parameter.

Published
Mar 28, 2011
Patched Release
1.7.2
Affected Versions
Versions up to 1.7.1
Next Step
Update to 1.7.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2011-5208
BackWPup – WordPress Backup Plugin < 1.4.1 - Directory Traversal

Multiple directory traversal vulnerabilities in the BackWPup plugin before 1.4.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the wpabs parameter to (1) app/options-view_log-iframe.php or (2) app/options-runnow-iframe.php.

Published
Mar 02, 2011
Patched Release
1.4.1
Affected Versions
Versions before 1.4.1
Next Step
Update to 1.4.1 or newer if supported.
Open Full Report Open CVE Reference