What the vulnerability does
01Description
The Simple Backup plugin for WordPress is vulnerable to Arbitrary File Download in versions up to, and including, 2.7.10. via the download_backup_file function. This is due to a lack of capability checks and file type validation. This makes it possible for attackers to download sensitive files such as the wp-config.php file from the affected site.
Explanation of Vulnerability in Simple Terms
02Summary
Simple Backup versions before 2.7.11 contain a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files from the server through the backup functionality. An attacker can access sensitive files outside the intended backup directory by manipulating file paths. No user interaction is required. This affects all installations running the vulnerable version.
What an attacker can do
03Attacker Capabilities
Read arbitrary files from the server, including configuration files and other sensitive data.
Potential impact on your site
04Site Impact
Attackers can download sensitive files like database credentials, configuration, and private keys without logging in.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
July 19, 2025
CVE published
April 8, 2026
Record updated