CVE-2025-14944
Missing Authorization in WordPress Backup Migration Plugin Enables Unauthorized Backup Uploads
Publication date: 2026-04-07
Last updated on: 2026-04-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| backup_migration | plugin | to 2.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Backup Migration plugin for WordPress has a vulnerability called Missing Authorization in all versions up to and including 2.0.0. This happens because the 'initializeOfflineAjax' function does not properly check user capabilities and lacks proper nonce verification.
Instead of verifying user permissions securely, the plugin only checks against hardcoded tokens that are publicly exposed in its JavaScript code. This allows unauthenticated attackers to trigger the backup upload queue processing without authorization.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to trigger backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion.
However, there is no specific information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can cause unexpected backup transfers to configured cloud storage targets.
This can lead to resource exhaustion on your server or hosting environment, potentially degrading performance or causing denial of service.