CVE-2025-11380 Overview
CVE-2025-11380 affects the Everest Backup WordPress plugin, a cloud backup, migration, restore, and cloning solution. The vulnerability results from a missing capability check on the everest_process_status AJAX action in all versions up to and including 2.3.5. Unauthenticated attackers can retrieve backup file locations that they can subsequently access and download. Exploitation requires an active backup process to be running at the time of the attack. The flaw is categorized under [CWE-862] Missing Authorization.
Critical Impact
Unauthenticated attackers can retrieve sensitive backup file locations from affected WordPress sites during active backup operations, potentially leading to disclosure of full site data including database contents and configuration files.
Affected Products
- Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin
- All plugin versions up to and including 2.3.5
- WordPress sites with the plugin installed and backup operations enabled
Discovery Timeline
- 2025-10-11 - CVE-2025-11380 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-11380
Vulnerability Analysis
The vulnerability exists in the everest_process_status AJAX handler exposed by the Everest Backup plugin. The handler does not verify the capabilities or authentication state of the requester before returning backup status information. When a backup operation is in progress, the endpoint returns metadata that includes the storage location of the backup archive. An unauthenticated attacker can poll this endpoint and extract the backup file path. The attacker can then request the archive directly and download the contents.
The attack requires a backup to be running at the moment of exploitation. This condition raises attack complexity, since attackers must either time their requests to coincide with scheduled backups or continuously probe the endpoint. The confidentiality impact is high because backup archives typically contain the full WordPress database, uploads, and configuration files such as wp-config.php.
Root Cause
The root cause is a missing authorization check [CWE-862] in the AJAX action handler. The plugin registers the everest_process_status action for both authenticated (wp_ajax_) and unauthenticated (wp_ajax_nopriv_) contexts without validating that the caller has permission to view backup status. The handler returns sensitive filesystem paths without gating access behind a current_user_can() capability check or a nonce verification.
Attack Vector
The vulnerability is exploitable over the network without authentication or user interaction. An attacker sends a POST request to /wp-admin/admin-ajax.php with the action parameter set to everest_process_status while a backup is in progress. The response discloses the backup file location. The attacker then issues a direct HTTP GET request to that location to retrieve the archive.
No verified exploitation code has been released. Refer to the Wordfence Vulnerability Report for additional technical details.
Detection Methods for CVE-2025-11380
Indicators of Compromise
- Unauthenticated POST requests to /wp-admin/admin-ajax.php containing action=everest_process_status
- Repeated polling of the everest_process_status endpoint from a single source IP
- Direct HTTP GET requests to backup archive paths from external IPs, particularly .zip or .ebwp files under the plugin's storage directory
- Access to backup files by user agents not associated with legitimate administrative sessions
Detection Strategies
- Review web server access logs for unauthenticated requests to the everest_process_status AJAX action
- Correlate backup file downloads with WordPress administrative session activity to identify unauthorized retrievals
- Monitor for enumeration patterns targeting the plugin's backup directory
Monitoring Recommendations
- Enable verbose logging on admin-ajax.php and alert on high-frequency requests to backup-related actions
- Restrict direct HTTP access to backup storage directories through web server configuration
- Deploy a web application firewall rule blocking unauthenticated calls to everest_process_status
How to Mitigate CVE-2025-11380
Immediate Actions Required
- Update the Everest Backup plugin to the version released after 2.3.5 that includes the capability check fix
- Audit backup storage directories for unexpected access and rotate any credentials contained in exposed backups
- Restrict access to /wp-admin/admin-ajax.php and backup directories using web application firewall rules or .htaccess controls
Patch Information
The vendor addressed the vulnerability by adding a capability check to the everest_process_status AJAX action handler. Details of the code change are available in the WordPress Changeset Update. Administrators should upgrade to the fixed version distributed through the WordPress plugin repository.
Workarounds
- Disable the Everest Backup plugin until the patched version is deployed
- Block external requests to admin-ajax.php where the action parameter equals everest_process_status at the web server or WAF layer
- Move backup storage outside the web root or protect the backup directory with authentication controls
# Apache configuration example: block direct access to backup archives
<FilesMatch "\.(ebwp|zip)$">
Require all denied
</FilesMatch>
# Nginx equivalent: deny access to the backup directory
location ~ ^/wp-content/uploads/everest-backup/ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

