Plattform
wordpress
Komponente
backwpup
Behoben in
5.6.7
5.6.7
CVE-2026-6227 describes a Local File Inclusion (LFI) vulnerability affecting the BackWPup plugin for WordPress. This flaw allows authenticated attackers with administrator privileges to include arbitrary PHP files on the server, potentially leading to sensitive data exposure or remote code execution. The vulnerability impacts versions of BackWPup up to and including 5.6.6, with a fix available in version 5.6.7.
The primary impact of CVE-2026-6227 is the ability for an authenticated administrator to read arbitrary files on the server. By crafting malicious traversal sequences within the /wp-json/backwpup/v1/getblock REST endpoint's block_name parameter (e.g., ....//), an attacker can bypass inadequate sanitization and include files like wp-config.php. Exposure of wp-config.php would grant access to database credentials, effectively compromising the entire WordPress site. In certain server configurations, this LFI could be leveraged to achieve remote code execution, allowing an attacker to fully control the web server. This vulnerability shares similarities with other LFI exploits where improper input validation allows attackers to manipulate file paths.
CVE-2026-6227 was publicly disclosed on 2026-04-13. There is no indication of this vulnerability being actively exploited in the wild at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's nature makes it likely that such exploits will emerge.
WordPress websites utilizing the BackWPup plugin, particularly those running versions 5.6.6 or earlier, are at risk. Shared hosting environments where multiple WordPress installations share the same server are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others. Sites with weak administrator password policies are also at increased risk.
• wordpress / composer / npm:
grep -r '....//' /var/www/html/wp-content/plugins/backwpup/includes/class-backwpup-rest.php• generic web:
curl -I 'https://your-wordpress-site.com/wp-json/backwpup/v1/getblock?block_name=....//wp-config.php' | grep 'HTTP/1.1' # Check for 403 Forbidden or other error indicating access denieddisclosure
Exploit-Status
EPSS
0.41% (61% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-6227 is to immediately upgrade the BackWPup plugin to version 5.6.7 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting access to the /wp-json/backwpup/v1/getblock endpoint using a web application firewall (WAF) or proxy server. Implement strict input validation rules to prevent path traversal sequences. Monitor WordPress access logs for suspicious requests targeting the /wp-json/backwpup/v1/getblock endpoint, specifically looking for patterns containing ....//. After upgrading, confirm the fix by attempting to access the endpoint with a crafted payload and verifying that the request is properly rejected.
Aktualisieren Sie auf Version 5.6.7 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-6227 is a Local File Inclusion vulnerability in the BackWPup plugin for WordPress, allowing authenticated administrators to include arbitrary PHP files.
You are affected if you are using BackWPup version 5.6.6 or earlier. Upgrade to 5.6.7 to mitigate the risk.
Upgrade the BackWPup plugin to version 5.6.7 or later. Consider restricting access to the vulnerable endpoint as a temporary workaround.
There are currently no confirmed reports of active exploitation, but public POCs are likely to emerge.
Refer to the BackWPup plugin website or WordPress.org plugin page for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.