🔐 CVE Alert

CVE-2026-9834

HIGH 7.2

WP Database Backup <= 7.11 - Authenticated (Administrator+) OS Command Injection via 'wp_db_exclude_table' Parameter

CVSS Score
7.2
EPSS Score
0.0%
EPSS Percentile
0th

The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 7.11 via the `wp_db_exclude_table` parameter. This is due to the direct concatenation of user-supplied `$_POST['wp_db_exclude_table']` values into the `mysqldump` shell command string in the `mysqldump()` function of `includes/admin/class-wpdb-admin.php` without wrapping them in `escapeshellarg()`—every other argument in the same command (DB_USER, DB_PASSWORD, host, filename, DB_NAME) is properly escaped, making the exclude-table values the sole exception—and because the only applied filtering, `sanitize_text_field()` via `recursive_sanitize_text_field()`, strips HTML tags but leaves shell metacharacters such as `;`, `|`, `` ` ``, and `$()` intact. This makes it possible for authenticated attackers, with administrator-level access and above, to execute arbitrary operating system commands on the server, potentially enabling full remote code execution. The injection is stored: malicious values submitted through the plugin settings form are persisted to the WordPress options table via `update_option('wp_db_exclude_table')` and later retrieved with `get_option()` and passed unsanitized to `shell_exec()` whenever a backup operation runs.

CWE CWE-77
Vendor databasebackup
Product wp database backup – unlimited database & files backup by backup for wp
Published Jul 2, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for databasebackup wp database backup – unlimited database & files backup by backup for wp

Be the first to know when new high vulnerabilities affecting databasebackup wp database backup – unlimited database & files backup by backup for wp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

databasebackup / WP Database Backup – Unlimited Database & Files Backup by Backup for WP
0 ≤ 7.11

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/0a97a217-b00b-4268-a472-8d62ae1d18e3?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.11/includes/admin/class-wpdb-admin.php#L2644 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.11/includes/admin/class-wpdb-admin.php#L2654 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.11/includes/admin/class-wpdb-admin.php#L216 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.10/includes/admin/class-wpdb-admin.php#L2644 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.10/includes/admin/class-wpdb-admin.php#L2654 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.10/includes/admin/class-wpdb-admin.php#L216 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3574273%40wp-database-backup&new=3574273%40wp-database-backup&sfp_email=&sfph_mail=

Credits

Irwan Kusuma