Platform
wordpress
Component
bearsthemes-bears-backup
Fixed in
2.0.1
CVE-2025-5396 is a critical Remote Code Execution (RCE) vulnerability discovered in the Bears Backup WordPress plugin. This flaw allows unauthenticated attackers to execute arbitrary code on the server due to insufficient input validation within the bbackupajaxhandle() function. The vulnerability impacts versions 0.0.0 through 2.0.0 of the plugin, and a patch is currently required to address the issue.
The impact of CVE-2025-5396 is severe. Successful exploitation allows an attacker to execute arbitrary code on the WordPress server with the privileges of the web server user. This could lead to complete compromise of the website, including data exfiltration, malware injection, and defacement. The ability to create new administrative user accounts further amplifies the attacker's control. Notably, this vulnerability can be chained with CVE-2025-5394 when using the Alone theme versions 7.8.4 and older, significantly increasing the attack surface.
CVE-2025-5396 was publicly disclosed on 2025-07-17. The vulnerability is considered high probability due to the lack of authentication checks and the ease of exploitation. Public proof-of-concept (PoC) code is likely to emerge quickly, increasing the risk of widespread exploitation. The combination with CVE-2025-5394 further elevates the risk profile, particularly for sites using the Alone theme.
Exploit Status
EPSS
0.73% (73% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-5396 is to immediately upgrade the Bears Backup plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to filter suspicious requests to the bbackupajaxhandle() endpoint can provide a temporary layer of defense. Monitor WordPress access logs for unusual activity and suspicious user agents targeting this endpoint. After upgrading, confirm the vulnerability is resolved by attempting a controlled code execution test through the plugin's AJAX interface.
Update the Bears Backup plugin to the latest available version, as older versions are vulnerable to remote code execution. Check the plugin's official sources (such as the WordPress repository or the developer's website) for the latest version and update instructions. Consider implementing additional security measures, such as limiting user permissions and keeping software updated.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-5396 is a critical Remote Code Execution vulnerability in the Bears Backup WordPress plugin, allowing attackers to execute code on the server without authentication.
Yes, if you are using the Bears Backup plugin versions 0.0.0 through 2.0.0, you are affected by this vulnerability. Sites using the Alone theme version 7.8.4 or older are at even higher risk.
Upgrade the Bears Backup plugin to a patched version as soon as possible. If upgrading is not immediately possible, disable the plugin and consider WAF rules.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of exploitation in the near future.
Refer to the WordPress security advisory and the Bears Backup plugin's official website for updates and announcements regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.