Platform
wordpress
Component
backwpup
Fixed in
5.6.7
5.6.7
CVE-2026-6227 is a Local File Inclusion (LFI) vulnerability affecting the BackWPup WordPress plugin. This vulnerability allows authenticated administrators to include arbitrary PHP files on the server, potentially leading to sensitive data exposure or remote code execution. The vulnerability impacts versions of BackWPup up to and including 5.6.6, and a patch is available in version 5.6.7.
An attacker exploiting this LFI vulnerability could gain access to sensitive files on the WordPress server. The description specifically mentions the potential to read the wp-config.php file, which contains database credentials and other critical configuration information. Successful compromise of wp-config.php would allow an attacker to gain complete control over the WordPress site and its database. Furthermore, the vulnerability description indicates that remote code execution (RCE) is possible in certain configurations, significantly expanding the potential impact. This could allow an attacker to execute arbitrary commands on the server, leading to data breaches, website defacement, or complete system compromise.
CVE-2026-6227 was publicly disclosed on 2026-04-13. Currently, there are no reports of active exploitation campaigns targeting this vulnerability. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation and the vulnerability's impact. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.41% (61% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-6227 is to immediately upgrade the BackWPup plugin to version 5.6.7 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting access to the /wp-json/backwpup/v1/getblock endpoint. Implement strict access controls to ensure only authorized users (administrators) can access this endpoint. Web Application Firewall (WAF) rules can be configured to block requests containing suspicious path traversal sequences (e.g., ....//). After upgrading, verify the fix by attempting to access the /wp-json/backwpup/v1/getblock endpoint with a crafted path traversal payload; the request should be denied.
Update to version 5.6.7, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-6227 is a Local File Inclusion vulnerability in the BackWPup plugin for WordPress, allowing authenticated administrators to include arbitrary PHP files.
You are affected if you are using BackWPup version 5.6.6 or earlier. Upgrade to 5.6.7 to mitigate the risk.
Upgrade the BackWPup plugin to version 5.6.7 or later. Consider restricting access to the vulnerable endpoint as a temporary workaround.
There are currently no confirmed reports of active exploitation, but public POCs are likely to emerge.
Refer to the BackWPup plugin website or WordPress.org plugin page for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.