Which BackWPup – WordPress Backup & Restore Plugin CVEs are tracked?

BackWPup – WordPress Backup & Restore Plugin tracked CVEs include CVE-2011-4342, CVE-2023-5504, CVE-2023-7164, CVE-2017-2551, and CVE-2011-5208.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 11 known issues Latest disclosed Apr 13, 2026

BackWPup – WordPress Backup & Restore Plugin Vulnerabilities

Q: How many BackWPup – WordPress Backup & Restore Plugin vulnerabilities have patch guidance?

11 of 11 tracked BackWPup – WordPress Backup & Restore Plugin records include a published patch path.

Review known vulnerability records for the WordPress plugin BackWPup – WordPress Backup & Restore Plugin (`backwpup`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-6227, CVE-2025-15041 and CVE-2025-10579, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Apr 14, 2026

Related Security Guides

Use these guides while reviewing BackWPup – WordPress Backup & Restore Plugin fixes

Pair this plugin vulnerability hub with practical WordPress hardening, scanner, and patch workflow guidance.

Hardening

WordPress hardening checklist for exposed plugins

Review patch cadence, privileged access, XML-RPC exposure, backups, and monitoring controls.

Plugin Security

WordPress plugin security basics for patch decisions

Use ownership, update testing, least privilege, and removal criteria to reduce plugin risk.

Scanning

WordPress vulnerability scanner buyer's guide

Compare scanner coverage for plugin CVEs, version detection, alert noise, and remediation workflow.

Patch Decision Workflow

How to prioritize BackWPup – WordPress Backup & Restore Plugin remediation

Use the hub as a decision layer before opening individual records: confirm whether the issue has a CVE, whether a fixed version exists, and whether the affected range overlaps production installs.

Search-Ready Records

1. Match the Package

Confirm the installed WordPress plugin slug is backwpup before acting on any CVE from this cluster.

2. Sort by Severity

Start with 7 high or critical records, then review medium and unrated findings with public references.

3. Check Patch Evidence

11 records include a patch path; verify compatibility before closing the finding.

4. Monitor Gaps

0 records still lack a listed fixed release, so keep this hub in the review queue.

High-Signal Remediation Targets

CVE-2011-4342 Critical

Vulnerability remediation for BackWPup – WordPress Backup & Restore Plugin

Affected range: Versions up to 1.7.1. Fixed version: 1.7.2.

CVE-2023-5504 High

Vulnerability remediation for BackWPup – WordPress Backup & Restore Plugin

Affected range: Versions up to 4.0.1. Fixed version: 4.0.2.

CVE-2023-7164 High

Sensitive Information Exposure remediation for BackWPup – WordPress Backup & Restore Plugin

Affected range: Versions up to 4.0.3. Fixed version: 4.0.4.

CVE-2017-2551 High

Vulnerability remediation for BackWPup – WordPress Backup & Restore Plugin

Affected range: Versions before 3.4.2. Fixed version: 3.4.2.

Priority CVE Quick Links

Fast paths into BackWPup – WordPress Backup & Restore Plugin CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

Tracked CVE	Issue Type	Affected Versions	Fixed Version	CVSS
CVE-2011-4342 BackWPup <= 1.7.1 - Remote File Inclusion	Vulnerability	Versions up to 1.7.1	1.7.2	CVSS 9.8
CVE-2023-5504 BackWPup <= 4.0.1 - Authenticated (Administrator+) Directory Traversal	Vulnerability	Versions up to 4.0.1	4.0.2	CVSS 8.7
CVE-2023-7164 BackWPup <= 4.0.3 - Sensitive Information Exposure	Sensitive Information Exposure	Versions up to 4.0.3	4.0.4	CVSS 7.5
CVE-2017-2551 BackWPup <= 3.4.1 - Unauthenticated Backup Download	Vulnerability	Versions before 3.4.2	3.4.2	CVSS 7.5
CVE-2011-5208 BackWPup – WordPress Backup Plugin < 1.4.1 - Directory Traversal	Vulnerability	Versions before 1.4.1	1.4.1	CVSS 7.5
CVE-2026-6227 BackWPup <= 5.6.6 - Authenticated (Administrator+) Local File Inclusion via 'block_n...	Remote Code Execution	Versions up to 5.6.6	5.6.7	CVSS 7.2
CVE-2025-15041 BackWPup 5.0.0 - 5.6.2 - Authenticated (BackWPup Helper+) Privilege Escalation via A...	Privilege Escalation	5.0.0 through 5.6.2	5.6.3	CVSS 7.2
CVE-2023-5505 BackWPup <= 4.0.1 - Authenticated (Administrator+) Directory Traversal	Vulnerability	Versions up to 4.0.1	4.0.2	CVSS 6.8

CVE-2011-4342 Critical 1.7.2

CVE-2011-4342 BackWPup – WordPress Backup & Restore Plugin Vulnerability

BackWPup <= 1.7.1 - Remote File Inclusion

CVE-2023-5504 High 4.0.2

CVE-2023-5504 BackWPup – WordPress Backup & Restore Plugin Vulnerability

BackWPup <= 4.0.1 - Authenticated (Administrator+) Directory Traversal

CVE-2023-7164 High 4.0.4

CVE-2023-7164 BackWPup – WordPress Backup & Restore Plugin Sensitive Information Exposure

BackWPup <= 4.0.3 - Sensitive Information Exposure

CVE-2017-2551 High 3.4.2

CVE-2017-2551 BackWPup – WordPress Backup & Restore Plugin Vulnerability

BackWPup <= 3.4.1 - Unauthenticated Backup Download

CVE-2011-5208 High 1.4.1

CVE-2011-5208 BackWPup – WordPress Backup & Restore Plugin Vulnerability

BackWPup – WordPress Backup Plugin < 1.4.1 - Directory Traversal

CVE-2026-6227 High 5.6.7

CVE-2026-6227 BackWPup – WordPress Backup & Restore Plugin Remote Code Execution

BackWPup <= 5.6.6 - Authenticated (Administrator+) Local File Inclusion via 'block_name' Parameter

CVE-2025-15041 High 5.6.3

CVE-2025-15041 BackWPup – WordPress Backup & Restore Plugin Privilege Escalation

BackWPup 5.0.0 - 5.6.2 - Authenticated (BackWPup Helper+) Privilege Escalation via Arbitrary Options Update

CVE-2023-5505 Medium 4.0.2

CVE-2023-5505 BackWPup – WordPress Backup & Restore Plugin Vulnerability

BackWPup <= 4.0.1 - Authenticated (Administrator+) Directory Traversal

Coverage Snapshot

What this page helps you verify fast

This hub clusters tracked records for BackWPup – WordPress Backup & Restore Plugin so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

11 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

1 critical and 6 high severity findings.

Recent CVEs

CVE-2026-6227, CVE-2025-15041 and CVE-2025-10579

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-6227 High Patch path listed

CVE-2026-6227: BackWPup <= 5.6.6 - Authenticated (Administrator+) Local File Inclusion via 'block_name' Parameter

The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and includi...

Published

Apr 13, 2026

Patch Status

5.6.7

Review CVE-2026-6227 affected versions

CVE-2025-15041 High Patch path listed

CVE-2025-15041: BackWPup 5.0.0 - 5.6.2 - Authenticated (BackWPup Helper+) Privilege Escalation via Arbitrary Options Update

The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability che...

Published

Feb 18, 2026

Patch Status

5.6.3

Review CVE-2025-15041 affected versions

CVE-2025-10579 Medium Patch path listed

CVE-2025-10579: BackWPup 5 - 5.5.0 - Missing Authorization to Sensitive Information Exposure

The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'backwpup_working' AJAX action in...

Published

Oct 24, 2025

Patch Status

5.5.1

Review CVE-2025-10579 affected versions

Known Vulnerabilities

Reports for BackWPup – WordPress Backup & Restore Plugin

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-6227

CVE-2026-6227: BackWPup <= 5.6.6 - Authenticated (Administrator+) Local File Inclusion via 'block_name' Parameter

The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal sequences....

Published

Apr 13, 2026

Patched Release

5.6.7

Affected Versions

Versions up to 5.6.6

Next Step

Update to 5.6.7 or newer if supported.

Review CVE-2026-6227 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2025-15041

CVE-2025-15041: BackWPup 5.0.0 - 5.6.2 - Authenticated (BackWPup Helper+) Privilege Escalation via Arbitrary Options Update

The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions 5.0.0 to 5.6.2. This makes it possib...

Published

Feb 18, 2026

Patched Release

5.6.3

Affected Versions

5.0.0 through 5.6.2

Next Step

Update to 5.6.3 or newer if supported.

Review CVE-2025-15041 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-10579

CVE-2025-10579: BackWPup 5 - 5.5.0 - Missing Authorization to Sensitive Information Exposure

The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'backwpup_working' AJAX action in versions 5 through 5.5.0. This makes it possible for authenticated attackers, with Subscri...

Published

Oct 24, 2025

Patched Release

5.5.1

Affected Versions

5 through 5.5.0

Next Step

Update to 5.5.1 or newer if supported.

Review CVE-2025-10579 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-5505

CVE-2023-5505: BackWPup <= 4.0.1 - Authenticated (Administrator+) Directory Traversal

The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the job-specific backup folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server...

Published

Aug 16, 2024

Patched Release

4.0.2

Affected Versions

Versions up to 4.0.1

Next Step

Update to 4.0.2 or newer if supported.

Review CVE-2023-5505 fixed version details Open CVE Reference

Plugin Low Patched: Yes CVE-2023-5775

CVE-2023-5775: BackWPup <= 4.0.2 - Plaintext Storage of Backup Destination Password

The BackWPup plugin for WordPress is vulnerable to Plaintext Storage of Backup Destination Password in all versions up to, and including, 4.0.2. This is due to to the plugin improperly storing backup destination passwords in plaintext. This makes it possible for authenticated att...

Published

Feb 23, 2024

Patched Release

4.0.3

Affected Versions

Versions up to 4.0.2

Next Step

Update to 4.0.3 or newer if supported.

Review CVE-2023-5775 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2023-7164

CVE-2023-7164: BackWPup <= 4.0.3 - Sensitive Information Exposure

The BackWPup – WordPress Backup Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.3. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

Published

Dec 18, 2023

Patched Release

4.0.4

Affected Versions

Versions up to 4.0.3

Next Step

Update to 4.0.4 or newer if supported.

Review CVE-2023-7164 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2023-5504

CVE-2023-5504: BackWPup <= 4.0.1 - Authenticated (Administrator+) Directory Traversal

The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the Log File Folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server. Additiona...

Published

Nov 22, 2023

Patched Release

4.0.2

Affected Versions

Versions up to 4.0.1

Next Step

Update to 4.0.2 or newer if supported.

Review CVE-2023-5504 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2017-2551

CVE-2017-2551: BackWPup <= 3.4.1 - Unauthenticated Backup Download

Vulnerability in Wordpress plugin BackWPup before v3.4.2 allows possible brute forcing of backup file for download.

Published

Sep 08, 2017

Patched Release

3.4.2

Affected Versions

Versions before 3.4.2

Next Step

Update to 3.4.2 or newer if supported.

Review CVE-2017-2551 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2013-4626

CVE-2013-4626: BackWPup < 3.0.13 - Cross-Site Scripting

Cross-site scripting (XSS) vulnerability in the BackWPup plugin before 3.0.13 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab parameter to wp-admin/admin.php.

Published

Aug 21, 2013

Patched Release

3.0.13

Affected Versions

Versions before 3.0.13

Next Step

Update to 3.0.13 or newer if supported.

Review CVE-2013-4626 fixed version details Open CVE Reference

Plugin Critical Patched: Yes CVE-2011-4342

CVE-2011-4342: BackWPup <= 1.7.1 - Remote File Inclusion

PHP remote file inclusion vulnerability in wp_xml_export.php in the BackWPup plugin before 1.7.2 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the wpabs parameter.

Published

Mar 28, 2011

Patched Release

1.7.2

Affected Versions

Versions up to 1.7.1

Next Step

Update to 1.7.2 or newer if supported.

Review CVE-2011-4342 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2011-5208

CVE-2011-5208: BackWPup – WordPress Backup Plugin < 1.4.1 - Directory Traversal

Multiple directory traversal vulnerabilities in the BackWPup plugin before 1.4.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the wpabs parameter to (1) app/options-view_log-iframe.php or (2) app/options-runnow-iframe.php.

Published

Mar 02, 2011

Patched Release

1.4.1

Affected Versions

Versions before 1.4.1

Next Step

Update to 1.4.1 or newer if supported.

Review CVE-2011-5208 fixed version details Open CVE Reference