{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68039", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:07.753Z", "datePublished": "2026-01-22T16:52:05.483Z", "dateUpdated": "2026-04-28T16:14:27.657Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-backitup", "product": "WP BackItUp", "vendor": "Chris Simmons", "versions": [{"lessThanOrEqual": "2.1.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:19.601Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Chris Simmons WP BackItUp wp-backitup allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP BackItUp: from n/a through <= 2.1.0.</p>"}], "value": "Missing Authorization vulnerability in Chris Simmons WP BackItUp wp-backitup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP BackItUp: from n/a through <= 2.1.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:27.657Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-backitup/vulnerability/wordpress-wp-backitup-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP BackItUp plugin <= 2.1.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T20:16:17.645517Z", "id": "CVE-2025-68039", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:29:06.752Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68039", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T20:16:17.645517Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T20:16:14.183Z"}}], "cna": {"title": "WordPress WP BackItUp plugin <= 2.1.0 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Chris Simmons", "product": "WP BackItUp", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.1.0"}], "packageName": "wp-backitup", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:19.601Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-backitup/vulnerability/wordpress-wp-backitup-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Chris Simmons WP BackItUp wp-backitup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP BackItUp: from n/a through <= 2.1.0.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Chris Simmons WP BackItUp wp-backitup allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP BackItUp: from n/a through <= 2.1.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:55.831Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68039", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:29:06.752Z", "dateReserved": "2025-12-15T10:01:07.753Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:05.483Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Chris Simmons WP BackItUp wp-backitup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP BackItUp: from n/a through <= 2.1.0."}, {"lang": "es", "value": "Vulnerabilidad de falta de autorizaci\u00f3n en Chris Simmons WP BackItUp wp-backitup permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WP BackItUp: desde n/a hasta &lt;= 2.0.0."}], "id": "CVE-2025-68039", "lastModified": "2026-04-27T19:16:23.183", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:09.130", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-backitup/vulnerability/wordpress-wp-backitup-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:19:52.897039+00:00", "value": {"mitigation_remediation": ["Update the WP BackItUp plugin to the latest supported version (greater than 2.1.0).", "Review and tighten the plugin\u2019s access control configuration, ensuring only trusted administrator roles can trigger backup or restoration actions.", "Audit the WordPress instance for any unauthorized or suspicious use of the backup functionalities and consider disabling the plugin if it is not actively required."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WP BackItUp plugin developed by Chris Simmons. All installations running version 2.1.0 or earlier are impacted; the issue is present from the earliest release through 2.1.0 inclusive. Vulnerable systems include WordPress sites where the plugin is installed and configured without proper role restrictions.", "description_and_impact": "Missing Authorization in the WP BackItUp plugin for WordPress allows attackers to bypass configured access control settings. An attacker can exploit wrongly set security levels to gain unauthorized access to plugin features, potentially exposing backup data, administrative functions, or other sensitive information. The core weakness is a broken access control flaw (CWE-862).", "risk_and_exploitability": "The CVSS base score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA\u2019s KEV catalog. It is likely exploitable via the web interface of the plugin, though the description does not provide explicit exploitation details. Attackers would need access to the WordPress site\u2019s administration area or to craft requests that bypass role checks to take advantage of this flaw."}}}}, "created": "2026-01-23T16:31:17.543747+00:00", "updated": "2026-04-27T21:30:13.882926+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}