Platform
wordpress
Component
backup-backup
Fixed in
2.0.1
CVE-2025-14944 describes a Missing Authorization vulnerability found in the BackupBliss – Backup & Migration with Free Cloud Storage plugin for WordPress. An unauthenticated attacker can exploit this flaw to initiate backup upload queue processing, leading to unexpected data transfers and potential resource exhaustion on the server. This vulnerability affects versions up to and including 2.0.0, but a patch is available in version 2.1.0.
CVE-2025-14944 in the Backup Migration plugin for WordPress allows unauthenticated attackers to trigger the backup upload queue processing. This is due to a missing capability check on the 'initializeOfflineAjax' function and a lack of proper nonce verification. The endpoint only validates against hardcoded tokens publicly exposed in the plugin's JavaScript. An attacker could exploit this weakness to initiate unexpected backup transfers, potentially leading to server overload, denial of service, or even backup data manipulation. The CVSS severity score is 5.3, indicating a moderate risk.
An attacker could exploit this vulnerability using a tool like curl or Postman to send an HTTP POST request to the vulnerable endpoint, including a payload that simulates a backup upload. Given the weak token validation, the attacker could simply use the token hardcoded in the plugin's JavaScript. The lack of a capability check means the attacker does not need to be authenticated on the WordPress site to execute this action. Successful exploitation could result in the creation of multiple backup tasks, consuming server resources and potentially disrupting service.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The solution to this vulnerability is to update the Backup Migration plugin to version 2.1.0 or higher. This version includes the necessary fixes to implement a proper capability check and robust nonce validation in the 'initializeOfflineAjax' function. WordPress site administrators using this plugin are strongly advised to apply the update as soon as possible to mitigate the risk of exploitation. Additionally, review server logs for suspicious activity related to the plugin, especially if the update is not applied immediately. Keeping plugins updated is a fundamental security practice.
Update to version 2.1.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
A nonce is a unique, one-time-use number used to prevent Cross-Site Request Forgery (CSRF) attacks. It helps verify that a request originates from the legitimate website and not a malicious source.
In the WordPress admin dashboard, go to 'Plugins'. You will see a list of all installed plugins, along with available update notifications.
If you suspect your site has been compromised, immediately change all administrator passwords, scan the site for malware, and consider restoring from a clean backup.
There are WordPress vulnerability scanners that can detect this vulnerability. Some examples include WPScan and Sucuri SiteCheck.
CVSS (Common Vulnerability Scoring System) is a standard for assessing the severity of security vulnerabilities. A score of 5.3 indicates a moderate risk.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.