{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6227", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-13T14:12:51.165Z", "datePublished": "2026-04-14T02:25:47.771Z", "dateUpdated": "2026-04-14T13:03:30.768Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-14T02:25:47.771Z"}, "affected": [{"vendor": "wp_media", "product": "BackWPup \u2013 WordPress Backup & Restore Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.6.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to include arbitrary PHP files on the server via crafted traversal sequences (e.g., `....//`), which can be leveraged to read sensitive files such as `wp-config.php` or achieve remote code execution in certain configurations. Administrators have the ability to grant individual users permission to handle backups, which may then allow lower-level users to exploit this vulnerability."}], "title": "BackWPup <= 5.6.6 - Authenticated (Administrator+) Local File Inclusion via 'block_name' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/084e3f78-275b-4692-9cce-e17074f55cfb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/backwpup/tags/5.6.5/inc/Utils/BackWPupHelpers.php#L23"}, {"url": "https://plugins.trac.wordpress.org/browser/backwpup/trunk/inc/Utils/BackWPupHelpers.php#L23"}, {"url": "https://plugins.trac.wordpress.org/browser/backwpup/tags/5.6.5/inc/Utils/BackWPupHelpers.php#L40"}, {"url": "https://plugins.trac.wordpress.org/browser/backwpup/tags/5.6.5/src/Frontend/API/Rest.php#L52"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3490642%40backwpup%2Ftrunk&old=3475739%40backwpup%2Ftrunk&sfp_email=&sfph_mail=#file26"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "JOAO PEDRO VENTURA ALVES"}], "timeline": [{"time": "2026-04-13T14:13:09.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T13:01:06.063780Z", "id": "CVE-2026-6227", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:03:30.768Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6227", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T13:01:06.063780Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:03:04.615Z"}}], "cna": {"title": "BackWPup <= 5.6.6 - Authenticated (Administrator+) Local File Inclusion via 'block_name' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "JOAO PEDRO VENTURA ALVES"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "wp_media", "product": "BackWPup \u2013 WordPress Backup & Restore Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.6.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-13T14:13:09.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/084e3f78-275b-4692-9cce-e17074f55cfb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/backwpup/tags/5.6.5/inc/Utils/BackWPupHelpers.php#L23"}, {"url": "https://plugins.trac.wordpress.org/browser/backwpup/trunk/inc/Utils/BackWPupHelpers.php#L23"}, {"url": "https://plugins.trac.wordpress.org/browser/backwpup/tags/5.6.5/inc/Utils/BackWPupHelpers.php#L40"}, {"url": "https://plugins.trac.wordpress.org/browser/backwpup/tags/5.6.5/src/Frontend/API/Rest.php#L52"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3490642%40backwpup%2Ftrunk&old=3475739%40backwpup%2Ftrunk&sfp_email=&sfph_mail=#file26"}], "descriptions": [{"lang": "en", "value": "The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to include arbitrary PHP files on the server via crafted traversal sequences (e.g., `....//`), which can be leveraged to read sensitive files such as `wp-config.php` or achieve remote code execution in certain configurations. Administrators have the ability to grant individual users permission to handle backups, which may then allow lower-level users to exploit this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-14T02:25:47.771Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6227", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:03:30.768Z", "dateReserved": "2026-04-13T14:12:51.165Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-14T02:25:47.771Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to include arbitrary PHP files on the server via crafted traversal sequences (e.g., `....//`), which can be leveraged to read sensitive files such as `wp-config.php` or achieve remote code execution in certain configurations. Administrators have the ability to grant individual users permission to handle backups, which may then allow lower-level users to exploit this vulnerability."}], "id": "CVE-2026-6227", "lastModified": "2026-04-22T20:23:16.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-14T03:16:08.887", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/backwpup/tags/5.6.5/inc/Utils/BackWPupHelpers.php#L23"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/backwpup/tags/5.6.5/inc/Utils/BackWPupHelpers.php#L40"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/backwpup/tags/5.6.5/src/Frontend/API/Rest.php#L52"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/backwpup/trunk/inc/Utils/BackWPupHelpers.php#L23"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3490642%40backwpup%2Ftrunk&old=3475739%40backwpup%2Ftrunk&sfp_email=&sfph_mail=#file26"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/084e3f78-275b-4692-9cce-e17074f55cfb?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.6.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "BackWPup \u2013 WordPress Backup & Restore Plugin", "source": "cna", "vendor": "wp_media"}, "product": "backwpup_\u2013_wordpress_backup_&_restore_plugin", "vendor": "wp_media"}], "analysis": {"en": {"generated_at": "2026-04-14T03:20:39.668023+00:00", "value": {"mitigation_remediation": ["Upgrade BackWPup to version 5.6.7 or later.", "If upgrading is delayed, disable or remove the /wp-json/backwpup/v1/getblock REST endpoint or restrict it to trusted IPs.", "Apply least\u2011privilege principles by limiting users with backup handling permission to only those who truly need it.", "Audit user roles and remove unnecessary backup rights.", "Monitor REST API logs for suspicious block_name parameters."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion leading to potential remote code execution"}, "threat_synthesis": {"affected_systems": "All installations of the BackWPup WordPress Backup & Restore Plugin with versions 5.6.6 and earlier are affected. Administrators and any users granted backup\u2011handling privileges can trigger the vulnerability, allowing lower\u2011privilege users to craft malicious block_name values. Versions after 5.6.6 and other WordPress plugins are not impacted.", "description_and_impact": "The BackWPup WordPress plugin contains a Local File Inclusion flaw in the block_name parameter of the /wp-json/backwpup/v1/getblock REST endpoint. Because the plugin only performs a non\u2011recursive replacement of path traversal sequences, an attacker can craft a request such as ....// to reference arbitrary files on the server. With sufficient privilege the attacker can read sensitive configuration files or, for certain PHP configurations, execute code, compromising the entire WordPress site. This weakness aligns with CWE\u201122, which focuses on path traversal leading to local file inclusion.", "risk_and_exploitability": "This vulnerability has a CVSS score of 7.2, indicating moderate to high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is internal: an authenticated attacker with administrator or backup\u2011handling rights can send a crafted request to the vulnerable REST endpoint and induce the server to include an arbitrary local file. Because the traversal sequences are not fully sanitized, the exploitation surface is relatively large and could lead to remote code execution if the server runs the included file. No publicly documented exploits are known, but the lack of full sanitization makes the flaw plausible for compromise."}}}}, "created": "2026-04-14T16:16:03.154453+00:00", "updated": "2026-04-14T16:30:59.841058+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wp_media", "wp_media$PRODUCT$backwpup_\u2013_wordpress_backup_&_restore_plugin"]}