CVE-2026-14503
Received Received - Intake

Sensitive Information Exposure in pCloud WP Backup WordPress Plugin

Vulnerability report for CVE-2026-14503, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Wordfence

Description

The pCloud WP Backup plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.3 via the wp2pcl_ajax_process_request_inner. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract force generation of a full-site backup archive written to a publicly accessible directory, exposing wp-config.php database credentials, WordPress secret salts, and the complete PHP source tree. The resulting archive is deposited in the plugin's unprotected tmp/ directory at a predictable URL, making the extracted data accessible to unauthenticated visitors once the backup is triggered.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wp_backup plugin to 2.0.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The pCloud WP Backup plugin for WordPress has a flaw that allows sensitive information to be exposed. Authenticated attackers with subscriber-level access or higher can force the plugin to create a full-site backup archive in a publicly accessible directory. This archive contains sensitive data like database credentials from wp-config.php, WordPress secret salts, and the entire PHP source tree. The backup is stored in the plugin's tmp directory at a predictable URL, making it accessible to anyone without needing authentication.

Detection Guidance

Check for unauthorized backup files in the plugin's tmp directory, such as files named like wp2pcl_backup_*.zip in the /wp-content/plugins/wp2pcl/tmp/ path. Look for unexpected wp-config.php exposure or PHP source tree leaks in publicly accessible directories.

Impact Analysis

If exploited, this vulnerability could allow attackers to access sensitive data such as database credentials, WordPress secret keys, and the entire PHP source code of your WordPress site. This could lead to further attacks like database breaches, unauthorized access to user data, or complete site compromise. Attackers could also use the exposed credentials to take control of your WordPress installation or linked services.

Compliance Impact

This vulnerability could lead to non-compliance with GDPR and HIPAA due to unauthorized exposure of sensitive data. GDPR requires protection of personal data, and HIPAA mandates safeguarding protected health information. If exploited, this flaw could result in data breaches, leading to legal penalties, fines, and reputational damage for organizations handling regulated data.

Mitigation Strategies

Update the pCloud WP Backup plugin to the latest version if available. If not, disable or remove the plugin immediately. Restrict access to the tmp directory and audit for any exposed backup files. Rotate WordPress secret salts and database credentials if compromised.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14503. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart