CVE-2026-3143
Unauthenticated Rollback Cancellation in Total Upkeep WordPress Plugin
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| boldgrid | total_upkeep | to 1.17.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Total Upkeep β WordPress Backup Plugin plus Restore & Migrate by BoldGrid has a vulnerability due to a missing capability check on the 'wp_ajax_cli_cancel' function in all versions up to and including 1.17.1.
This flaw allows unauthenticated attackers to cancel a pending rollback operation, which is intended to automatically revert a failed WordPress update.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized modification of data by unauthenticated attackers, which could potentially impact the integrity of a WordPress installation by preventing automatic rollback of failed updates.
However, there is no specific information provided about how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can prevent a WordPress installation from automatically reverting a failed update by canceling the rollback process.
This could leave the site in a broken or unstable state after an unsuccessful update, potentially causing service disruption or degraded functionality.