🔐 CVE Alert

CVE-2025-14944

MEDIUM 5.3

Backup Migration <= 2.0.0 - Missing Authorization to Unauthenticated Backup Upload to Offline Storage

CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th

The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion.

CWE CWE-862
Vendor inisev
Product backupbliss – backup & migration with free cloud storage
Published Apr 7, 2026
Last Updated Apr 8, 2026
Stay Ahead of the Next One

Get instant alerts for inisev backupbliss – backup & migration with free cloud storage

Be the first to know when new medium vulnerabilities affecting inisev backupbliss – backup & migration with free cloud storage are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

inisev / BackupBliss – Backup & Migration with Free Cloud Storage
0 ≤ 2.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/a2a41a15-0743-48cc-8c92-7cb839fa5847?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/offline.php#L29 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/ajax_offline.php#L112 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?old=3386897&old_path=backup-backup%2Ftags%2F2.0.0%2Fincludes%2Foffline.php&new=3449635&new_path=backup-backup%2Ftags%2F2.1.0%2Fincludes%2Foffline.php

Credits

Rafał