CVE-2025-53246 MEDIUM

CVE-2025-53246: WordPress Backup and Move Plugin <= 0.1 - Broken Access Control Vulnerability

Vendor Gaurav Aggarwal
Product Backup and Move
Weakness CWE-862 · Missing authorization
Published November 6, 2025
Last update April 28, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in Gaurav Aggarwal Backup and Move backup-and-move allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Backup and Move: from n/a through <= 0.1.

Explanation of Vulnerability in Simple Terms

02Summary

The Backup and Move plugin for WordPress contains an authorization flaw that allows authenticated users with low privileges to read sensitive data they should not access. An attacker with a standard user account can retrieve confidential information from the site without additional interaction. This vulnerability affects versions 0.1 and earlier.

What an attacker can do

03Attacker Capabilities

Read sensitive data on the site that should be restricted to higher-privilege users.

Potential impact on your site

04Site Impact

User data and site information may be exposed to any registered user, even those with minimal permissions.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account (e.g., subscriber or contributor role) on the WordPress site.

Key dates

06Disclosure timeline

November 6, 2025 CVE published
April 28, 2026 Record updated