CVE-2026-9834
Received Received - Intake

OS Command Injection in WP Database Backup Plugin

Vulnerability report for CVE-2026-9834, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Wordfence

Description

The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 7.11 via the `wp_db_exclude_table` parameter. This is due to the direct concatenation of user-supplied `$_POST['wp_db_exclude_table']` values into the `mysqldump` shell command string in the `mysqldump()` function of `includes/admin/class-wpdb-admin.php` without wrapping them in `escapeshellarg()`β€”every other argument in the same command (DB_USER, DB_PASSWORD, host, filename, DB_NAME) is properly escaped, making the exclude-table values the sole exceptionβ€”and because the only applied filtering, `sanitize_text_field()` via `recursive_sanitize_text_field()`, strips HTML tags but leaves shell metacharacters such as `;`, `|`, `` ` ``, and `$()` intact. This makes it possible for authenticated attackers, with administrator-level access and above, to execute arbitrary operating system commands on the server, potentially enabling full remote code execution. The injection is stored: malicious values submitted through the plugin settings form are persisted to the WordPress options table via `update_option('wp_db_exclude_table')` and later retrieved with `get_option()` and passed unsanitized to `shell_exec()` whenever a backup operation runs.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
backup_for_wp wp_database_backup to 7.11 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection through the wp_db_exclude_table parameter in versions up to 7.11. This happens because user input from this parameter is directly concatenated into a mysqldump shell command without proper escaping, unlike other parameters. Although some filtering removes HTML tags, dangerous shell metacharacters remain, allowing an attacker with administrator access to execute arbitrary operating system commands on the server.

The malicious input is stored persistently in the WordPress options table and executed whenever a backup operation runs, potentially enabling full remote code execution.

Impact Analysis

This vulnerability allows an authenticated attacker with administrator-level access to execute arbitrary operating system commands on the server hosting the WordPress site. This can lead to full remote code execution, compromising the server's security and potentially allowing the attacker to take complete control over the system.

Compliance Impact

This vulnerability allows authenticated attackers with administrator-level access to execute arbitrary operating system commands on the server, potentially enabling full remote code execution.

Such unauthorized access and control over the server could lead to data breaches, unauthorized data modification, or data loss.

Consequently, this could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining system integrity.

However, the provided information does not explicitly detail the compliance implications or specific regulatory impacts.

Detection Guidance

This vulnerability involves OS command injection via the wp_db_exclude_table parameter in the WP Database Backup plugin. Detection would focus on identifying suspicious or unauthorized use of this parameter, especially in POST requests to the plugin's settings or backup execution endpoints.

Since the injection is stored and executed during backup operations, monitoring for unusual shell commands or unexpected mysqldump executions on the server could help detect exploitation attempts.

  • Check WordPress options table for suspicious wp_db_exclude_table values using SQL queries, e.g., `SELECT option_value FROM wp_options WHERE option_name = 'wp_db_exclude_table';`
  • Monitor web server logs for POST requests containing the wp_db_exclude_table parameter with shell metacharacters such as `;`, `|`, `` ` ``, or `$()`.
  • On the server, search for mysqldump commands executed with unusual arguments by inspecting process lists or command histories, e.g., `ps aux | grep mysqldump`.
  • Use file integrity monitoring or audit logs to detect unexpected changes or executions related to the backup plugin.
Mitigation Strategies

Immediate mitigation steps include restricting access to the plugin settings to only trusted administrators, as exploitation requires administrator-level access.

Temporarily disable or uninstall the WP Database Backup plugin until a patched version is available.

Review and sanitize the wp_db_exclude_table option value in the WordPress database to remove any malicious input.

Apply principle of least privilege to WordPress users and server permissions to limit the impact of potential exploitation.

Monitor server logs and WordPress activity for signs of exploitation and respond accordingly.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9834. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart