What the vulnerability does
01Description
The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to include arbitrary PHP files on the server via crafted traversal sequences (e.g., `....//`), which can be leveraged to read sensitive files such as `wp-config.php` or achieve remote code execution in certain configurations. Administrators have the ability to grant individual users permission to handle backups, which may then allow lower-level users to exploit this vulnerability.
Explanation of Vulnerability in Simple Terms
02Summary
BackWPup versions up to 5.6.6 contain a path traversal vulnerability that allows high-privilege users to read, write, or delete arbitrary files on the server. An attacker with administrator or equivalent access can bypass file system restrictions and access sensitive data outside the intended backup directories. This affects confidentiality, integrity, and availability of the site.
What an attacker can do
03Attacker Capabilities
Read, write, or delete arbitrary files on the server outside the backup directory.
Potential impact on your site
04Site Impact
A compromised admin account can access sensitive files, modify core files, or delete critical data.
Conditions required to exploit
05Prerequisites
Attacker must have high-level privileges (administrator or equivalent role) on the WordPress site.
Key dates
06Disclosure timeline
April 14, 2026
CVE published
April 14, 2026
Record updated