CVE-2026-6227 HIGH

CVE-2026-6227: BackWPup <= 5.6.6 - Authenticated (Administrator+) Local File Inclusion via 'block_name' Parameter

Vendor Wp_Media
Product BackWPup – WordPress Backup & Restore Plugin
Weakness CWE-22 · Path traversal
Published April 14, 2026
Last update April 14, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to include arbitrary PHP files on the server via crafted traversal sequences (e.g., `....//`), which can be leveraged to read sensitive files such as `wp-config.php` or achieve remote code execution in certain configurations. Administrators have the ability to grant individual users permission to handle backups, which may then allow lower-level users to exploit this vulnerability.

Explanation of Vulnerability in Simple Terms

02Summary

BackWPup versions up to 5.6.6 contain a path traversal vulnerability that allows high-privilege users to read, write, or delete arbitrary files on the server. An attacker with administrator or equivalent access can bypass file system restrictions and access sensitive data outside the intended backup directories. This affects confidentiality, integrity, and availability of the site.

What an attacker can do

03Attacker Capabilities

Read, write, or delete arbitrary files on the server outside the backup directory.

Potential impact on your site

04Site Impact

A compromised admin account can access sensitive files, modify core files, or delete critical data.

Conditions required to exploit

05Prerequisites

Attacker must have high-level privileges (administrator or equivalent role) on the WordPress site.

Key dates

06Disclosure timeline

April 14, 2026 CVE published
April 14, 2026 Record updated