What the vulnerability does
01Description
Cross-Site Request Forgery (CSRF) vulnerability in Backup Bolt Backup Bolt backup-bolt allows Cross Site Request Forgery.This issue affects Backup Bolt: from n/a through <= 1.5.0.
CVE-2025-49040
MEDIUM
CVE-2025-49040: WordPress Backup Bolt plugin <= 1.5.0 - Cross Site Request Forgery (CSRF) vulnerability
CVSS base score
4.3/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Explanation of Vulnerability in Simple Terms
02Summary
Backup Bolt versions 1.5.0 and earlier are vulnerable to cross-site request forgery (CSRF) attacks. An attacker can craft a malicious webpage that, when visited by a logged-in site administrator, performs unwanted actions on the backup system without the admin's knowledge or consent. The attacker cannot read sensitive data, but can modify backup settings or trigger unintended operations.
What an attacker can do
03Attacker Capabilities
Trick a logged-in admin into performing unwanted backup operations or configuration changes via a malicious webpage.
Potential impact on your site
04Site Impact
Backup configurations could be altered or backup jobs triggered unexpectedly, potentially disrupting backup schedules or data integrity.
Conditions required to exploit
05Prerequisites
Admin must visit a malicious webpage while logged into the site. No special privileges or complex setup required.
Key dates
06Disclosure timeline
August 27, 2025
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2025-5521 WuKongOpenSource WukongCRM updataPassword cross-site request forgery
CVE-2023-7038 automad User Creation cross-site request forgery
CVE-2023-49821 WordPress LiveChat Plugin <= 4.5.15 is vulnerable to Cross Site Request Forgery (CSRF)
CVE-2025-49856 WordPress Responsive Plus plugin <= 3.2.2 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability
CVE-2024-12642 Chunghwa Telecom TenderDocTransfer - Arbitrary File Write
