Plattform
wordpress
Komponente
backup-backup
Behoben in
2.0.1
CVE-2025-14944 describes a Missing Authorization vulnerability found in the BackupBliss – Backup & Migration with Free Cloud Storage plugin for WordPress. An unauthenticated attacker can exploit this flaw to initiate backup upload queue processing, leading to unexpected data transfers and potential resource exhaustion on the server. This vulnerability affects versions up to and including 2.0.0, but a patch is available in version 2.1.0.
An attacker can exploit this missing authorization vulnerability to initiate backup transfers to configured cloud storage targets without authentication. This can lead to resource exhaustion on the server, potentially impacting other applications. Furthermore, an attacker could potentially upload malicious files to the cloud storage, compromising the integrity of the backups. The blast radius extends to the cloud storage environment and any systems that rely on the backups. This vulnerability highlights the importance of proper authorization checks in WordPress plugins, especially those dealing with sensitive data like backups.
CVE-2025-14944 was published on 2026-04-07. The vulnerability's exploitation probability is considered medium. The vulnerability relies on publicly exposed JavaScript tokens, making exploitation relatively straightforward. No active campaigns targeting this specific vulnerability have been reported, but the ease of exploitation warrants immediate attention. The EPSS score is pending evaluation.
Exploit-Status
EPSS
0.05% (14% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation is to immediately upgrade the BackupBliss WordPress plugin to version 2.1.0 or later. If upgrading is not immediately feasible, consider temporarily disabling the plugin to prevent unauthorized access. Implement strict firewall rules to restrict access to the 'initializeOfflineAjax' endpoint. Regularly review cloud storage access logs for any suspicious activity. After upgrading, confirm the fix by attempting to trigger the backup upload queue without being logged in as an administrator.
Aktualisieren Sie auf Version 2.1.0 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
A nonce is a unique, one-time-use number used to prevent Cross-Site Request Forgery (CSRF) attacks. It helps verify that a request originates from the legitimate website and not a malicious source.
In the WordPress admin dashboard, go to 'Plugins'. You will see a list of all installed plugins, along with available update notifications.
If you suspect your site has been compromised, immediately change all administrator passwords, scan the site for malware, and consider restoring from a clean backup.
There are WordPress vulnerability scanners that can detect this vulnerability. Some examples include WPScan and Sucuri SiteCheck.
CVSS (Common Vulnerability Scoring System) is a standard for assessing the severity of security vulnerabilities. A score of 5.3 indicates a moderate risk.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.