Home

Description

The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system.

PUBLISHED Reserved 2025-07-24 | Published 2025-07-25 | Updated 2026-04-08 | Assigner Wordfence




CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

Any version before 5.2
affected

Timeline

2019-04-24:Disclosed

References

www.wordfence.com/...-9d75-43a2-9e81-67116f0bf896?source=cve

www.wordfence.com/...y-patched-in-wp-database-backup-plugin/

plugins.trac.wordpress.org/...set/2078035/wp-database-backup

blog.sucuri.net/...mand-injection-in-wp-database-backup.html

packetstormsecurity.com/files/153781/

raw.githubusercontent.com/.../multi/http/wp_db_backup_rce.rb

cve.org (CVE-2019-25224)

nvd.nist.gov (CVE-2019-25224)

Download JSON