{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/database-backup-for-wordpress-plugin--2.5.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4031"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Database Backup for WordPress plugin \u003c= 2.5.2"],"_cs_severities":["high"],"_cs_tags":["wordpress","authorization-bypass","sensitive-data-exposure","cve"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Database Backup for WordPress plugin, versions 2.5.2 and earlier, contains an authorization bypass vulnerability (CVE-2026-4031). This flaw stems from the plugin\u0026rsquo;s failure to restrict access to the \u003ccode\u003ewp_db_temp_dir\u003c/code\u003e parameter. Unauthenticated attackers can exploit this vulnerability by sending a crafted request to \u003ccode\u003ewp-cron.php\u003c/code\u003e, poisoning the \u003ccode\u003ewp_db_temp_dir\u003c/code\u003e value to point to a publicly accessible directory, such as \u003ccode\u003ewp-content/uploads/\u003c/code\u003e. If a scheduled database backup is due, the attacker can intercept the backup file before it is cleaned up. The predictable naming convention of the backup file (based on database name, table prefix, date, and Swatch Internet Time) makes successful interception highly probable. This exploitation results in the exposure of sensitive information, including database credentials, user password hashes, and personally identifiable information (PII). This vulnerability requires that the site administrator has configured scheduled backups for exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable Database Backup for WordPress plugin with scheduled backups enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting \u003ccode\u003ewp-cron.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a poisoned \u003ccode\u003ewp_db_temp_dir\u003c/code\u003e parameter, setting it to a publicly accessible directory such as \u003ccode\u003ewp-content/uploads/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted HTTP request to the WordPress site\u0026rsquo;s \u003ccode\u003ewp-cron.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf a scheduled database backup is triggered by the wp-cron.php execution, the plugin writes the backup file to the attacker-controlled directory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the predictable naming scheme (database name, table prefix, date, and Swatch Internet Time) to determine the exact filename of the backup.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the backup file from the publicly accessible directory via HTTP(S).\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information, including database credentials, user password hashes, and personally identifiable information, from the intercepted backup file.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4031 allows unauthenticated attackers to access sensitive information stored within the WordPress database backups. This includes database credentials, user password hashes, and personally identifiable information. The number of victims depends on the prevalence of the vulnerable plugin and the number of sites with scheduled backups enabled. This can lead to complete compromise of the WordPress site and potentially other systems if the database credentials are reused.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Database Backup for WordPress plugin to the latest version (greater than 2.5.2) to patch CVE-2026-4031.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003ewp-cron.php\u003c/code\u003e with suspicious \u003ccode\u003ewp_db_temp_dir\u003c/code\u003e parameters (see Sigma rule \u003ccode\u003eDetect Suspicious wp_db_temp_dir Parameter in wp-cron.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement strict file access controls on the \u003ccode\u003ewp-content/uploads/\u003c/code\u003e directory to prevent unauthorized access to any files written there.\u003c/li\u003e\n\u003cli\u003eReview and restrict access to \u003ccode\u003ewp-cron.php\u003c/code\u003e to prevent unauthorized triggering of scheduled tasks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T13:19:40Z","date_published":"2026-05-14T13:19:40Z","id":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-db-backup-auth-bypass/","summary":"CVE-2026-4031 is an authorization bypass vulnerability in the Database Backup for WordPress plugin (\u003c= 2.5.2) that allows unauthenticated attackers to intercept database backup files by manipulating the backup directory via the wp_db_temp_dir parameter, leading to sensitive information exposure.","title":"CVE-2026-4031 - Database Backup for WordPress Plugin Authorization Bypass","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-db-backup-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4030"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Database Backup for WordPress plugin \u003c= 2.5.2"],"_cs_severities":["high"],"_cs_tags":["wordpress","file_read","file_deletion","cve"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Database Backup for WordPress plugin, versions 2.5.2 and earlier, contains an arbitrary file read and deletion vulnerability (CVE-2026-4030). This flaw stems from the plugin\u0026rsquo;s failure to properly enforce the return value of its authorization checks. Coupled with a user-controlled backup directory parameter, this weakness allows unauthenticated attackers to read and delete arbitrary files on the affected WordPress server. This vulnerability is only exploitable in WordPress Multisite environments where the deprecated \u003ccode\u003eis_site_admin()\u003c/code\u003e function exists. Successful exploitation can lead to sensitive information exposure and potential site takeover, impacting the confidentiality and integrity of the targeted WordPress installation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress Multisite installation using the vulnerable Database Backup for WordPress plugin (\u0026lt;= 2.5.2).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the plugin\u0026rsquo;s functionality related to backup directory handling.\u003c/li\u003e\n\u003cli\u003eThe crafted request leverages the user-controlled backup directory parameter to specify a target file path outside the intended backup directory.\u003c/li\u003e\n\u003cli\u003eThe plugin fails to properly validate or sanitize the provided file path due to the insufficient authorization check.\u003c/li\u003e\n\u003cli\u003eThe plugin attempts to access the specified file based on the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eIf the request is for file reading, the plugin exposes the contents of the targeted file to the attacker in the HTTP response. If the request is for file deletion, the targeted file is removed from the server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information, such as configuration files, database credentials, or other user data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exposed information to further compromise the WordPress installation, potentially leading to a full site takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4030 allows unauthenticated attackers to read arbitrary files on the server. This can lead to the exposure of sensitive information, including configuration files, database credentials, and user data. Attackers can also delete arbitrary files, potentially disrupting website functionality and leading to data loss. In WordPress Multisite environments, this can lead to a full site takeover, affecting all sites within the network. The overall impact is a compromise of confidentiality, integrity, and availability of the affected WordPress installation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Database Backup for WordPress plugin to version 2.5.3 or later to patch CVE-2026-4030.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing file paths outside the intended backup directory to detect potential exploitation attempts. Deploy the Sigma rules provided in this brief to your SIEM.\u003c/li\u003e\n\u003cli\u003eImplement strong file permission controls on the WordPress server to limit access to sensitive files.\u003c/li\u003e\n\u003cli\u003eConsider disabling the Database Backup for WordPress plugin in WordPress Multisite environments if the \u003ccode\u003eis_site_admin()\u003c/code\u003e function is deprecated.\u003c/li\u003e\n\u003cli\u003eReview WordPress Multisite configurations and ensure proper access controls are in place to prevent unauthorized file access.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to capture cs-uri-stem and cs-uri-query for request analysis (see Sigma rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T13:19:26Z","date_published":"2026-05-14T13:19:26Z","id":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-db-backup-file-read-deletion/","summary":"The Database Backup for WordPress plugin before 2.5.3 is vulnerable to unauthenticated arbitrary file read and deletion due to improper authorization checks and user-controlled backup directories, leading to sensitive information exposure and potential site takeover on WordPress Multisite environments.","title":"Database Backup for WordPress Plugin Arbitrary File Read and Deletion Vulnerability (CVE-2026-4030)","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-db-backup-file-read-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4029"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Database Backup for WordPress plugin \u003c= 2.5.2"],"_cs_severities":["high"],"_cs_tags":["cve","wordpress","database backup","unauthenticated access","data exfiltration"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Database Backup for WordPress plugin, in versions up to and including 2.5.2, is vulnerable to an unauthorized database export flaw. This vulnerability, identified as CVE-2026-4029, stems from the plugin\u0026rsquo;s failure to properly enforce the return value of its authorization check. The vulnerability specifically affects WordPress Multisite environments where the deprecated \u003ccode\u003eis_site_admin()\u003c/code\u003e function is present. Successful exploitation allows unauthenticated attackers to export database tables, potentially leading to sensitive information exposure. Defenders should ensure the plugin is updated to a version beyond 2.5.2 or implement compensating controls to restrict access to database export functionality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a WordPress Multisite instance using Database Backup for WordPress plugin version 2.5.2 or earlier.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request to the plugin\u0026rsquo;s database export functionality, bypassing the intended authorization checks.\u003c/li\u003e\n\u003cli\u003eThe plugin\u0026rsquo;s authorization check fails to properly validate the user\u0026rsquo;s permissions due to improper enforcement of the return value.\u003c/li\u003e\n\u003cli\u003eThe plugin initiates a database export operation.\u003c/li\u003e\n\u003cli\u003eThe database tables are exported and made accessible to the unauthenticated attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the exported database, which contains sensitive information.\u003c/li\u003e\n\u003cli\u003eAttacker analyzes the database content to extract sensitive credentials, configuration details, or user data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4029 allows unauthenticated attackers to export sensitive database tables from vulnerable WordPress Multisite installations. This can lead to the exposure of usernames, passwords, API keys, customer data, and other confidential information stored in the database. The impact is high due to the potential for complete compromise of the affected WordPress site and the sensitive data it manages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Database Backup for WordPress plugin to the latest version (greater than 2.5.2) to patch CVE-2026-4029.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to database export endpoints associated with the Database Backup for WordPress plugin, using the Sigma rule \u003ccode\u003eDetect Unauthorized WordPress Database Export\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIn WordPress Multisite environments, investigate any unusual activity related to the \u003ccode\u003eis_site_admin()\u003c/code\u003e function or database backup operations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T13:19:11Z","date_published":"2026-05-14T13:19:11Z","id":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-db-backup-export/","summary":"The Database Backup for WordPress plugin up to version 2.5.2 is vulnerable to unauthorized database export due to improper authorization enforcement, allowing unauthenticated attackers to export database tables in WordPress Multisite environments.","title":"CVE-2026-4029: Database Backup for WordPress Plugin Unauthorized Database Export","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-db-backup-export/"}],"language":"en","title":"CraftedSignal Threat Feed — Database Backup for WordPress Plugin \u003c= 2.5.2","version":"https://jsonfeed.org/version/1.1"}