CVE-2024-10028 Overview
CVE-2024-10028 is a sensitive information exposure vulnerability in the Everest Backup WordPress plugin. The flaw affects all versions up to and including 2.2.13. The plugin exposes a process stats file during the backup process, which reveals the archive file name of the generated backup. Unauthenticated attackers can read this file remotely and use the disclosed archive name to download the complete site backup. Successful exploitation grants access to database contents, configuration files, and other sensitive site data contained in the backup archive. The issue is classified under CWE-922: Insecure Storage of Sensitive Information.
Critical Impact
Unauthenticated remote attackers can download full site backups containing database dumps, credentials, and configuration data from affected WordPress installations.
Affected Products
- Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin
- All versions up to and including 2.2.13
- WordPress sites running the everest-backup plugin from everestthemes
Discovery Timeline
- 2024-11-06 - CVE-2024-10028 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-10028
Vulnerability Analysis
The Everest Backup plugin generates backup archives and writes operational metadata to a process stats file during execution. This file remains accessible from the web without authentication checks. The metadata includes the name of the archive being created, which the plugin stores in a predictable directory structure on the WordPress filesystem.
Attackers query the exposed stats file over HTTP and parse the archive name. They then construct a direct URL to the archive and retrieve the backup file. The download succeeds because the archive itself is served by the web server without access control while the backup operation is in progress or after completion.
The attack requires no credentials, no user interaction, and no elevated privileges. Backups created by this plugin typically contain a full database export, wp-config.php contents, uploaded media, and plugin or theme files. Exposure of these artifacts enables credential theft, session hijacking, and follow-on compromise of the WordPress site.
Root Cause
The vulnerable code path resides in inc/classes/class-backup-directory.php at approximately line 514 in the 2.2.13 release. The plugin writes process state to a file that is reachable through the web server and does not apply authorization checks or randomize the archive filename with sufficient entropy. See the WordPress Plugin Code Review for the affected source.
Attack Vector
Exploitation occurs over the network against the public-facing WordPress site. An attacker sends an HTTP request to the known path of the process stats file, extracts the archive filename from the response, and issues a second HTTP request to download the archive. The vulnerability mechanism is documented in the Wordfence Vulnerability Report.
Detection Methods for CVE-2024-10028
Indicators of Compromise
- Unauthenticated HTTP GET requests to Everest Backup process stats files within wp-content/ directories.
- Outbound transfers of large .zip or backup archive files from the WordPress uploads or plugin directories to unknown external IP addresses.
- Access log entries containing references to everest-backup paths from non-administrative IP addresses.
Detection Strategies
- Review web server access logs for sequential requests that first read a stats or status file under the Everest Backup plugin path, then download an archive file.
- Alert on anonymous downloads of files matching backup archive naming conventions from WordPress instances.
- Inventory WordPress sites and identify any running everest-backup plugin at version 2.2.13 or below.
Monitoring Recommendations
- Enable WordPress access logging and forward web logs to a centralized log analytics platform for correlation.
- Monitor egress traffic for unusual data volumes originating from WordPress hosts.
- Track plugin version inventory across hosted WordPress sites and flag installations of everest-backup below 2.2.14.
How to Mitigate CVE-2024-10028
Immediate Actions Required
- Update the Everest Backup plugin to a version later than 2.2.13 that addresses the exposed process stats file.
- Rotate all secrets contained in recent backups, including database passwords, WordPress salts in wp-config.php, and any stored API keys.
- Audit web server access logs for prior unauthorized access to backup archives and the stats file.
Patch Information
The vendor fix is tracked through the WordPress plugin repository. Administrators should upgrade to the latest available release of the everest-backup plugin via the WordPress admin dashboard or by replacing the plugin directory with the patched version. Reference the WordPress Plugin Code Review for the vulnerable code location and confirm the installed version is above 2.2.13.
Workarounds
- Deactivate and remove the Everest Backup plugin until the patched version is installed.
- Block public access to the plugin directory using web server rules, for example denying HTTP access to wp-content/uploads/everest-backup/ and related stats file paths.
- Move existing backup archives off the web root to a location not served by the web server.
- Place the WordPress site behind a Web Application Firewall (WAF) and add rules that block requests to the exposed stats file path.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

