{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10306", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-11T22:18:40.873Z", "datePublished": "2025-10-03T11:17:13.538Z", "dateUpdated": "2026-04-08T16:57:27.068Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:27.068Z"}, "affected": [{"vendor": "backupbolt", "product": "Backup Bolt", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Backup Bolt plugin for WordPress is vulnerable to arbitrary file downloads and backup location writes in all versions up to, and including, 1.4.1 via the process_backup_batch() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to download directories outside of the webroot and write backup zip files to arbitrary locations."}], "title": "Backup Bolt <= 1.4.1 - Authenticated (Admin+) Arbitrary File Download", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/63f38644-a021-407a-9882-2c8435849c08?source=cve"}, {"url": "https://wordpress.org/plugins/backup-bolt/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3373151%40backup-bolt&new=3373151%40backup-bolt&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-73 External Control of File Name or Path", "cweId": "CWE-73", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "baseScore": 3.8, "baseSeverity": "LOW"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-02T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-03T18:11:34.124061Z", "id": "CVE-2025-10306", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T18:11:44.601Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10306", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-03T18:11:34.124061Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T18:11:39.591Z"}}], "cna": {"title": "Backup Bolt <= 1.4.1 - Authenticated (Admin+) Arbitrary File Download", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3.8, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "backupbolt", "product": "Backup Bolt", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.4.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-02T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/63f38644-a021-407a-9882-2c8435849c08?source=cve"}, {"url": "https://wordpress.org/plugins/backup-bolt/"}], "descriptions": [{"lang": "en", "value": "The Backup Bolt plugin for WordPress is vulnerable to arbitrary file downloads and backup location writes in all versions up to, and including, 1.4.1 via the process_backup_batch() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to download directories outside of the webroot and write backup zip files to arbitrary locations."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-03T11:17:13.538Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10306", "state": "PUBLISHED", "dateUpdated": "2025-10-03T18:11:44.601Z", "dateReserved": "2025-09-11T22:18:40.873Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-03T11:17:13.538Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Backup Bolt plugin for WordPress is vulnerable to arbitrary file downloads and backup location writes in all versions up to, and including, 1.4.1 via the process_backup_batch() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to download directories outside of the webroot and write backup zip files to arbitrary locations."}], "id": "CVE-2025-10306", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-03T12:15:42.457", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3373151%40backup-bolt&new=3373151%40backup-bolt&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/backup-bolt/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/63f38644-a021-407a-9882-2c8435849c08?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:16:13.564400+00:00", "value": {"mitigation_remediation": ["Update Backup Bolt to a version newer than 1.4.1 once available", "Restrict administrator privileges to trusted users and enforce least privilege", "Disable or restrict the backup functionality for non-essential accounts"], "summary": {"action": "Patch", "impact": "Arbitrary File Download"}, "threat_synthesis": {"affected_systems": "All WordPress sites running Backup Bolt version 1.4.1 or earlier are affected. The vulnerability applies to any installation where the plugin is activated and administrative access is available.", "description_and_impact": "The Backup Bolt plugin for WordPress contains a flaw in the process_backup_batch() function that lets an authenticated user with Administrator rights download files from outside the web root and write backup zip archives to arbitrary paths. This enables disclosure of sensitive files and uncontrolled storage of potentially malicious archives, exposing both confidentiality and integrity of the application and underlying server. The weakness is identified as CWE-73.", "risk_and_exploitability": "The measured CVSS score of 3.8 indicates low overall severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploit requires authenticated Administrator-level access, and the attacker can use the backup functionality to specify arbitrary file paths, making the attack vector likely to involve an insider or compromised administrator account rather than external traffic."}}}}, "created": "2025-10-06T14:42:55.358190+00:00", "updated": "2026-04-22T13:30:17.915703+00:00", "vendors": ["backupbolt", "backupbolt$PRODUCT$backup_bolt", "wordpress", "wordpress$PRODUCT$wordpress"]}