Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-10028

CVE-2024-10028: Everest Backup Information Disclosure Bug

CVE-2024-10028 is an information disclosure flaw in Everest Backup for WordPress that allows unauthenticated attackers to access backup files. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2024-10028 Overview

CVE-2024-10028 is a sensitive information exposure vulnerability in the Everest Backup WordPress plugin. The flaw affects all versions up to and including 2.2.13. The plugin exposes a process stats file during the backup process, which reveals the archive file name of the generated backup. Unauthenticated attackers can read this file remotely and use the disclosed archive name to download the complete site backup. Successful exploitation grants access to database contents, configuration files, and other sensitive site data contained in the backup archive. The issue is classified under CWE-922: Insecure Storage of Sensitive Information.

Critical Impact

Unauthenticated remote attackers can download full site backups containing database dumps, credentials, and configuration data from affected WordPress installations.

Affected Products

  • Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin
  • All versions up to and including 2.2.13
  • WordPress sites running the everest-backup plugin from everestthemes

Discovery Timeline

  • 2024-11-06 - CVE-2024-10028 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-10028

Vulnerability Analysis

The Everest Backup plugin generates backup archives and writes operational metadata to a process stats file during execution. This file remains accessible from the web without authentication checks. The metadata includes the name of the archive being created, which the plugin stores in a predictable directory structure on the WordPress filesystem.

Attackers query the exposed stats file over HTTP and parse the archive name. They then construct a direct URL to the archive and retrieve the backup file. The download succeeds because the archive itself is served by the web server without access control while the backup operation is in progress or after completion.

The attack requires no credentials, no user interaction, and no elevated privileges. Backups created by this plugin typically contain a full database export, wp-config.php contents, uploaded media, and plugin or theme files. Exposure of these artifacts enables credential theft, session hijacking, and follow-on compromise of the WordPress site.

Root Cause

The vulnerable code path resides in inc/classes/class-backup-directory.php at approximately line 514 in the 2.2.13 release. The plugin writes process state to a file that is reachable through the web server and does not apply authorization checks or randomize the archive filename with sufficient entropy. See the WordPress Plugin Code Review for the affected source.

Attack Vector

Exploitation occurs over the network against the public-facing WordPress site. An attacker sends an HTTP request to the known path of the process stats file, extracts the archive filename from the response, and issues a second HTTP request to download the archive. The vulnerability mechanism is documented in the Wordfence Vulnerability Report.

Detection Methods for CVE-2024-10028

Indicators of Compromise

  • Unauthenticated HTTP GET requests to Everest Backup process stats files within wp-content/ directories.
  • Outbound transfers of large .zip or backup archive files from the WordPress uploads or plugin directories to unknown external IP addresses.
  • Access log entries containing references to everest-backup paths from non-administrative IP addresses.

Detection Strategies

  • Review web server access logs for sequential requests that first read a stats or status file under the Everest Backup plugin path, then download an archive file.
  • Alert on anonymous downloads of files matching backup archive naming conventions from WordPress instances.
  • Inventory WordPress sites and identify any running everest-backup plugin at version 2.2.13 or below.

Monitoring Recommendations

  • Enable WordPress access logging and forward web logs to a centralized log analytics platform for correlation.
  • Monitor egress traffic for unusual data volumes originating from WordPress hosts.
  • Track plugin version inventory across hosted WordPress sites and flag installations of everest-backup below 2.2.14.

How to Mitigate CVE-2024-10028

Immediate Actions Required

  • Update the Everest Backup plugin to a version later than 2.2.13 that addresses the exposed process stats file.
  • Rotate all secrets contained in recent backups, including database passwords, WordPress salts in wp-config.php, and any stored API keys.
  • Audit web server access logs for prior unauthorized access to backup archives and the stats file.

Patch Information

The vendor fix is tracked through the WordPress plugin repository. Administrators should upgrade to the latest available release of the everest-backup plugin via the WordPress admin dashboard or by replacing the plugin directory with the patched version. Reference the WordPress Plugin Code Review for the vulnerable code location and confirm the installed version is above 2.2.13.

Workarounds

  • Deactivate and remove the Everest Backup plugin until the patched version is installed.
  • Block public access to the plugin directory using web server rules, for example denying HTTP access to wp-content/uploads/everest-backup/ and related stats file paths.
  • Move existing backup archives off the web root to a location not served by the web server.
  • Place the WordPress site behind a Web Application Firewall (WAF) and add rules that block requests to the exposed stats file path.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.