CVE-2026-1311
Worry Proof Backup <= 0.2.4 - Authenticated (Subscriber+) Path Traversal via Backup Upload
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
The Worry Proof Backup plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.2.4 via the backup upload functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload a malicious ZIP archive with path traversal sequences to write arbitrary files anywhere on the server, including executable PHP files. This can lead to remote code execution.
| CWE | CWE-22 |
| Vendor | bearsthemes |
| Product | worry proof backup |
| Published | Feb 26, 2026 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for bearsthemes worry proof backup
Be the first to know when new high vulnerabilities affecting bearsthemes worry proof backup are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
bearsthemes / Worry Proof Backup
0 โค 0.2.4
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/3ffd6ce0-2536-43a5-9925-438bc653d0e5?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/worry-proof-backup/trunk/inc/libs/upload-backup.php#L97 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/worry-proof-backup/tags/0.2.4/inc/libs/upload-backup.php#L97
Credits
Athiwat Tiprasaharn Itthidej Aramsri