CVE-2019-25224
BaseFortify
Publication date: 2025-07-25
Last updated on: 2025-08-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpseeds | wp_database_backup | to 5.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25224 is a critical OS Command Injection vulnerability in the WP Database Backup WordPress plugin versions before 5.2. It occurs because the plugin uses the mysqldump function to create database backups and allows users to exclude tables via the wp_db_exclude_table parameter without proper sanitization. An attacker can exploit this by injecting malicious shell commands into this parameter, which are then executed on the server when a backup is created. This can be done remotely and can lead to full control over the affected website's server. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated or authenticated attackers (depending on the source) to execute arbitrary commands on the server hosting the WordPress site. This can lead to full server compromise, including unauthorized access to sensitive data, modification or deletion of files, installation of malware, and potentially taking over the entire website and server infrastructure. The impact is severe, with a CVSS score of 9.8 indicating critical risk. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Indicators of compromise include HTTP requests targeting the endpoints `/wp-admin/admin-ajax.php?page=wp-database-backup` or `/wp-admin/admin-post.php?page=wp-database-backup`, which may suggest attempts to exploit the vulnerability. Detection can involve monitoring web server logs for such requests. Additionally, checking for unusual POST parameters like `wp_db_exclude_table` containing suspicious or shell command-like content may indicate exploitation attempts. Since exploitation requires valid WordPress credentials, reviewing authentication logs for suspicious logins followed by access to the backup plugin pages (`wp-admin/tools.php?page=wp-database-backup`) can help detect attacks. Specific commands are not provided, but monitoring logs with tools like grep for the mentioned URLs or parameters is recommended. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WP Database Backup plugin to version 5.2 or later, where the vulnerability is fixed. If updating immediately is not possible, virtual patching solutions such as using a website firewall (e.g., Sucuri website firewall) can help block exploitation attempts. Additionally, enforcing strict access controls, ensuring only authorized users can access the backup plugin, and monitoring for suspicious activity are recommended. The patch includes nonce verification, input sanitization, and capability checks to prevent unauthorized command injection. [1, 3]