CVE-2026-4030— Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Arbitrary File Read and Deletion
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-4030
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Arbitrary File Read and Deletion
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized arbitrary file read and deletion in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check combined with a user-controlled backup directory parameter. This makes it possible for unauthenticated attackers to read and delete arbitrary files on the server, leading to Sensitive Information Exposure and potential site takeover. Note: This vulnerability is only exploitable in WordPress Multisite environments where the deprecated is_site_admin() function exists.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| wpengine | Database Backup for WordPress | 0 ~ 2.5.2 | - |
II. Public POCs for CVE-2026-4030
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-4030
请登录查看更多情报信息。
Same Patch Batch · wpengine · 2026-05-14 · 3 CVEs total
| CVE-2026-4029 | 7.5 HIGH | Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Database |
| CVE-2026-4031 | 7.5 HIGH | Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Database |
IV. Related Vulnerabilities
Same product: Database Backup for WordPress
- CVE-2026-4029
Database Backup for WordPress <= 2.5.2 - Missing Authorizati - CVE-2026-4031
Database Backup for WordPress <= 2.5.2 - Missing Authorizati - CVE-2022-1577
Database Backup for WordPress < 2.5.2 - Arbitrary Schedule S - CVE-2022-0255
Database Backup for WordPress < 2.5.1 - Admin+ SQL Injection - CVE-2021-24322
Database Backup for WordPress < 2.4 - Authenticated Persiste
Same vendor: wpengine
- CVE-2026-4029
Database Backup for WordPress <= 2.5.2 - Missing Authorizati - CVE-2026-4031
Database Backup for WordPress <= 2.5.2 - Missing Authorizati - CVE-2026-4812
Advanced Custom Fields (ACF®) <= 6.7.0 - Unauthenticated Mis - CVE-2025-11427
WP Migrate Lite <= 2.7.6 - Unauthenticated Blind Server-Side - CVE-2023-6701
Advanced Custom Fields <= 6.2.4 - Authenticated (Contributor
Same weakness: CWE-862
- CVE-2026-45667
Open WebUI: Unauthenticated endpoint can trigger embedding g - CVE-2026-44571
Open WebUI: Improper Authorization in Standard Channels Allo - CVE-2026-45350
Open WebUI: Chat completion API allows tool restrictions to - CVE-2026-44569
Open WebUI: Insecure Message Access Breaks Authorization - CVE-2026-44550
Open WebUI: Mass Assignment via Pydantic extra='allow' Allow
V. Comments for CVE-2026-4030
No comments yet