CVE-2025-15041 Overview
The BackWPup – WordPress Backup & Restore Plugin for WordPress contains a critical authorization vulnerability that enables authenticated attackers to escalate privileges through unauthorized modification of WordPress site options. The vulnerability exists due to a missing capability check on the save_site_option() function in all versions up to and including 5.6.2.
Critical Impact
Authenticated attackers can modify arbitrary WordPress options, including the default user registration role, enabling them to create administrator accounts and gain full administrative access to vulnerable WordPress installations.
Affected Products
- BackWPup – WordPress Backup & Restore Plugin versions up to and including 5.6.2
- WordPress sites running vulnerable BackWPup plugin versions
Discovery Timeline
- 2026-02-19 - CVE-2025-15041 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2025-15041
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), a broken access control flaw that occurs when a software component does not perform proper authorization checks before allowing access to a protected resource or functionality. In the context of the BackWPup plugin, the save_site_option() function lacks appropriate capability verification, allowing authenticated users with minimal privileges to invoke functionality that should be restricted to administrators.
The attack exploits the plugin's REST API endpoint handling, where the authorization logic fails to validate whether the requesting user has sufficient permissions to modify WordPress site options. This architectural flaw enables a privilege escalation attack chain where attackers can manipulate critical WordPress configuration settings.
Root Cause
The root cause lies in the missing capability check within the save_site_option() function located in the plugin's REST API handler. WordPress plugins are expected to verify user capabilities using functions like current_user_can() before performing privileged operations. The vulnerable code path in BackWPup's Rest.php file allows the function to execute without verifying that the authenticated user has the manage_options capability, which is typically required for modifying WordPress site options.
Attack Vector
The attack is network-based and requires the attacker to have authenticated access to the WordPress site, even with minimal privileges. The exploitation flow involves:
- An attacker authenticates to the WordPress site with any valid user account
- The attacker crafts a malicious request to the BackWPup REST API endpoint
- The vulnerable save_site_option() function processes the request without capability verification
- The attacker modifies the default_role option to administrator
- The attacker enables user registration via the users_can_register option
- The attacker registers a new account, which automatically receives administrator privileges
The vulnerability can be exploited through direct REST API calls targeting the BackWPup plugin endpoints. Technical details of the vulnerable code can be found in the WordPress BackWPup API Code on the WordPress Plugin Trac.
Detection Methods for CVE-2025-15041
Indicators of Compromise
- Unexpected modifications to the default_role WordPress option, particularly changes to administrator
- Sudden enabling of user registration (users_can_register option set to 1) without administrative action
- New user accounts with administrator privileges that were not created by legitimate administrators
- Unusual REST API activity targeting BackWPup plugin endpoints from non-administrative users
- WordPress options table entries showing recent modifications to registration-related settings
Detection Strategies
- Monitor WordPress REST API logs for requests to BackWPup endpoints from users without administrative capabilities
- Implement file integrity monitoring on the wp_options table to detect unauthorized option modifications
- Review user account creation logs for suspicious administrator account registrations
- Deploy Web Application Firewall (WAF) rules to detect and block exploitation attempts against the vulnerable endpoint
- Audit authentication logs for privilege escalation patterns following low-privilege user logins
Monitoring Recommendations
- Enable detailed logging for WordPress REST API requests, particularly those targeting plugin-specific endpoints
- Configure alerts for changes to critical WordPress options such as default_role and users_can_register
- Implement real-time monitoring of new user registrations with elevated privileges
- Establish baseline behavior for BackWPup plugin API usage to identify anomalous access patterns
How to Mitigate CVE-2025-15041
Immediate Actions Required
- Update BackWPup plugin to a patched version immediately (versions above 5.6.2)
- Audit existing WordPress user accounts for any unauthorized administrator accounts created through exploitation
- Review WordPress options table for unauthorized modifications to default_role and users_can_register settings
- Temporarily disable the BackWPup plugin if immediate patching is not possible
- Implement Web Application Firewall rules to block exploitation attempts while patching is scheduled
Patch Information
The vulnerability has been addressed in versions after 5.6.2. The fix implements proper capability checks on the save_site_option() function to ensure only users with appropriate permissions can modify WordPress site options. Details of the patch implementation can be reviewed in the WordPress BackWPup Changeset. Additional vulnerability analysis is available from Wordfence Vulnerability Analysis.
Workarounds
- Restrict access to the WordPress REST API using server-level configurations or security plugins until patching is complete
- Disable user registration on the WordPress site temporarily to prevent exploitation of the privilege escalation chain
- Implement IP-based access controls to limit REST API access to trusted networks
- Remove or deactivate the BackWPup plugin if it is not actively required for site operations
# Disable WordPress REST API for unauthenticated users via .htaccess (temporary workaround)
# Add to WordPress root .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/backwpup/ [NC]
RewriteCond %{HTTP:Authorization} ^$
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
