CVE-2022-4931

MEDIUM 4.3

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

The BackupWordPress plugin for WordPress is vulnerable to information disclosure in versions up to, and including 3.12. This is due to missing authorization on the heartbeat_received() function that triggers on WordPress heartbeat. This makes it possible for authenticated attackers, with subscriber-level permissions and above to retrieve back-up paths that can subsequently be used to download the back-up.

Vendor	willmot
Product	backupwordpress
Published	Mar 7, 2023
Last Updated	Jan 13, 2025

Stay Ahead of the Next One

Get instant alerts for willmot backupwordpress

Be the first to know when new medium vulnerabilities affecting willmot backupwordpress are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

willmot / BackUpWordPress

3.12

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/747c86f4-118b-4a9c-899c-e9067d2c7a02 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2683799%40backupwordpress&new=2683799%40backupwordpress&sfp_email=&sfph_mail=

Credits

Ramuel Gall