CVE-2025-14944 MEDIUM

CVE-2025-14944: Backup Migration <= 2.0.0 - Missing Authorization to Unauthenticated Backup Upload to Offline Storage

Vendor Inisev
Product BackupBliss – Backup & Migration with Free Cloud Storage
Weakness CWE-862 · Missing authorization
Published April 7, 2026
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion.

Explanation of Vulnerability in Simple Terms

02Summary

BackupBliss versions 2.0.0 and earlier lack proper authorization checks, allowing unauthenticated attackers to disrupt the backup service. An attacker can send network requests without credentials to trigger a denial-of-service condition. No user interaction is required. Sites running affected versions should update immediately.

What an attacker can do

03Attacker Capabilities

Disrupt backup operations without authentication by sending crafted network requests.

Potential impact on your site

04Site Impact

Backup service becomes unavailable, preventing data protection and recovery capabilities.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

April 7, 2026 CVE published
April 8, 2026 Record updated