Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-11380

CVE-2025-11380: Everest Backup Information Disclosure

CVE-2025-11380 is an information disclosure flaw in Everest Backup plugin for WordPress that allows unauthenticated attackers to access backup file locations. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-11380 Overview

CVE-2025-11380 affects the Everest Backup WordPress plugin, a cloud backup, migration, restore, and cloning solution. The vulnerability results from a missing capability check on the everest_process_status AJAX action in all versions up to and including 2.3.5. Unauthenticated attackers can retrieve backup file locations that they can subsequently access and download. Exploitation requires an active backup process to be running at the time of the attack. The flaw is categorized under [CWE-862] Missing Authorization.

Critical Impact

Unauthenticated attackers can retrieve sensitive backup file locations from affected WordPress sites during active backup operations, potentially leading to disclosure of full site data including database contents and configuration files.

Affected Products

  • Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin
  • All plugin versions up to and including 2.3.5
  • WordPress sites with the plugin installed and backup operations enabled

Discovery Timeline

  • 2025-10-11 - CVE-2025-11380 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-11380

Vulnerability Analysis

The vulnerability exists in the everest_process_status AJAX handler exposed by the Everest Backup plugin. The handler does not verify the capabilities or authentication state of the requester before returning backup status information. When a backup operation is in progress, the endpoint returns metadata that includes the storage location of the backup archive. An unauthenticated attacker can poll this endpoint and extract the backup file path. The attacker can then request the archive directly and download the contents.

The attack requires a backup to be running at the moment of exploitation. This condition raises attack complexity, since attackers must either time their requests to coincide with scheduled backups or continuously probe the endpoint. The confidentiality impact is high because backup archives typically contain the full WordPress database, uploads, and configuration files such as wp-config.php.

Root Cause

The root cause is a missing authorization check [CWE-862] in the AJAX action handler. The plugin registers the everest_process_status action for both authenticated (wp_ajax_) and unauthenticated (wp_ajax_nopriv_) contexts without validating that the caller has permission to view backup status. The handler returns sensitive filesystem paths without gating access behind a current_user_can() capability check or a nonce verification.

Attack Vector

The vulnerability is exploitable over the network without authentication or user interaction. An attacker sends a POST request to /wp-admin/admin-ajax.php with the action parameter set to everest_process_status while a backup is in progress. The response discloses the backup file location. The attacker then issues a direct HTTP GET request to that location to retrieve the archive.

No verified exploitation code has been released. Refer to the Wordfence Vulnerability Report for additional technical details.

Detection Methods for CVE-2025-11380

Indicators of Compromise

  • Unauthenticated POST requests to /wp-admin/admin-ajax.php containing action=everest_process_status
  • Repeated polling of the everest_process_status endpoint from a single source IP
  • Direct HTTP GET requests to backup archive paths from external IPs, particularly .zip or .ebwp files under the plugin's storage directory
  • Access to backup files by user agents not associated with legitimate administrative sessions

Detection Strategies

  • Review web server access logs for unauthenticated requests to the everest_process_status AJAX action
  • Correlate backup file downloads with WordPress administrative session activity to identify unauthorized retrievals
  • Monitor for enumeration patterns targeting the plugin's backup directory

Monitoring Recommendations

  • Enable verbose logging on admin-ajax.php and alert on high-frequency requests to backup-related actions
  • Restrict direct HTTP access to backup storage directories through web server configuration
  • Deploy a web application firewall rule blocking unauthenticated calls to everest_process_status

How to Mitigate CVE-2025-11380

Immediate Actions Required

  • Update the Everest Backup plugin to the version released after 2.3.5 that includes the capability check fix
  • Audit backup storage directories for unexpected access and rotate any credentials contained in exposed backups
  • Restrict access to /wp-admin/admin-ajax.php and backup directories using web application firewall rules or .htaccess controls

Patch Information

The vendor addressed the vulnerability by adding a capability check to the everest_process_status AJAX action handler. Details of the code change are available in the WordPress Changeset Update. Administrators should upgrade to the fixed version distributed through the WordPress plugin repository.

Workarounds

  • Disable the Everest Backup plugin until the patched version is deployed
  • Block external requests to admin-ajax.php where the action parameter equals everest_process_status at the web server or WAF layer
  • Move backup storage outside the web root or protect the backup directory with authentication controls
bash
# Apache configuration example: block direct access to backup archives
<FilesMatch "\.(ebwp|zip)$">
    Require all denied
</FilesMatch>

# Nginx equivalent: deny access to the backup directory
location ~ ^/wp-content/uploads/everest-backup/ {
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.