Platform
wordpress
Component
database-backup
Fixed in
2.36.1
CVE-2024-13910 describes an arbitrary file access vulnerability discovered in the Database Backup and check Tables Automated With Scheduler plugin for WordPress. This flaw allows authenticated administrators to delete arbitrary files on the server, potentially enabling remote code execution. The vulnerability impacts versions of the plugin up to and including 2.35, with a partial fix implemented in version 2.36.
The primary impact of CVE-2024-13910 is the ability for an authenticated administrator to delete arbitrary files on the server. While the vulnerability requires administrator privileges, this represents a significant escalation of risk. Deletion of critical files, such as wp-config.php, could lead to complete compromise of the WordPress installation, allowing an attacker to execute arbitrary code and gain full control of the server. The ease of file deletion, coupled with the potential for code execution, makes this a high-severity vulnerability. This vulnerability shares similarities with other file deletion vulnerabilities where the deletion of key configuration files can lead to complete system takeover.
CVE-2024-13910 was publicly disclosed on 2025-03-01. While no active exploitation campaigns have been publicly reported, the availability of administrator privileges required for exploitation lowers the barrier to entry. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the ease of exploitation makes it likely that they will emerge.
Exploit Status
EPSS
3.97% (88% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-13910 is to upgrade the Database Backup and check Tables Automated With Scheduler plugin to version 2.36 or later. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider restricting file permissions on the WordPress installation to limit the impact of potential file deletions. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion requests targeting the databasebackupajax_delete endpoint. Regularly review WordPress plugin installations and ensure they are from trusted sources.
Actualice el plugin Database Backup and check Tables Automated With Scheduler 2024 a la versión 2.36 o superior. Esta versión contiene una corrección para la vulnerabilidad de eliminación arbitraria de archivos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-13910 is a vulnerability in the Database Backup and check Tables Automated With Scheduler WordPress plugin allowing authenticated administrators to delete arbitrary files, potentially leading to remote code execution.
You are affected if you are using the Database Backup and check Tables Automated With Scheduler plugin in versions 2.35 or earlier. Upgrade to version 2.36 or later to mitigate the risk.
Upgrade the Database Backup and check Tables Automated With Scheduler plugin to version 2.36 or later. Consider restricting file permissions and implementing WAF rules as additional safeguards.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation suggests it may become a target.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and updates related to CVE-2024-13910.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.