CVE-2025-10304 MEDIUM

CVE-2025-10304: Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin <= 2.3.8 - Missing Authorization to Unauthenticated Backup Failure

Vendor Everestthemes
Product Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin
Weakness CWE-862 · Missing authorization
Published December 3, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the process_status_unlink() function in all versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers to delete the back-up progress files and cause a back-up to fail while it is in progress.

Explanation of Vulnerability in Simple Terms

02Summary

The Everest Backup plugin for WordPress does not properly check user permissions before allowing certain actions. An unauthenticated attacker can modify data on the site without needing to log in or interact with a user. The vulnerability affects all versions up to 2.3.8.

What an attacker can do

03Attacker Capabilities

Modify site data without authentication or user interaction.

Potential impact on your site

04Site Impact

Attackers can alter site content or settings without logging in, potentially corrupting backups or site configuration.

Conditions required to exploit

05Prerequisites

Network access to the WordPress site; no authentication required.

Key dates

06Disclosure timeline

December 3, 2025 CVE published
April 8, 2026 Record updated