CVE-2025-10579
BaseFortify
Publication date: 2025-10-25
Last updated on: 2025-10-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpres | backwpup | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the BackWPup WordPress plugin up to version 5.5.0, where a missing capability check on the 'backwpup_working' AJAX action allows authenticated users with Subscriber-level access or higher to access the filename of a backup while it is running. Although the filename alone has limited value, it could potentially be used to assist in brute force attacks to retrieve backup contents in certain environments.
How can this vulnerability impact me? :
The vulnerability could allow an attacker with low-level authenticated access to obtain backup filenames, which might be leveraged to perform brute force attacks to access backup contents. This could lead to unauthorized disclosure of sensitive data contained in backups, especially in environments like NGINX where such attacks might be feasible.