CVE-2025-28954 Overview
CVE-2025-28954 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Backwp WordPress plugin by wphobby. This vulnerability enables attackers to leverage CSRF techniques to execute path traversal attacks, potentially leading to arbitrary file deletion on affected WordPress installations. The vulnerability exists in all versions of the plugin up to and including version 2.0.2.
Critical Impact
Attackers can trick authenticated administrators into performing unintended actions, enabling arbitrary file deletion through path traversal which could result in complete denial of service by deleting critical WordPress files.
Affected Products
- Backwp WordPress Plugin version 2.0.2 and earlier
- WordPress installations with the vulnerable Backwp plugin enabled
- Sites where administrators may click malicious links while authenticated
Discovery Timeline
- 2025-06-06 - CVE-2025-28954 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-28954
Vulnerability Analysis
This vulnerability combines two distinct attack techniques: Cross-Site Request Forgery (CSRF) and Path Traversal. The Backwp plugin fails to implement proper CSRF protection mechanisms on sensitive administrative functions, specifically those related to file management operations. When an authenticated administrator visits a malicious page crafted by an attacker, the browser automatically sends the administrator's session credentials along with a forged request to the vulnerable plugin endpoint.
The path traversal component allows attackers to specify file paths outside the intended directory scope using directory traversal sequences (such as ../). When combined with the CSRF weakness, this enables unauthenticated attackers to delete arbitrary files on the server by tricking administrators into triggering malicious requests.
The attack requires user interaction—specifically, an authenticated administrator must be deceived into visiting a malicious webpage or clicking a specially crafted link. Upon successful exploitation, the availability impact is high as critical WordPress files or system files could be deleted, potentially rendering the entire WordPress installation non-functional.
Root Cause
The root cause of this vulnerability is twofold:
Missing CSRF Token Validation: The Backwp plugin does not properly validate CSRF tokens (nonces in WordPress terminology) on administrative actions related to file operations. This allows attackers to craft malicious requests that appear legitimate to the server when submitted by an authenticated user.
Insufficient Path Sanitization: The plugin fails to properly sanitize user-supplied file path parameters, allowing directory traversal sequences to escape the intended directory context and access arbitrary filesystem locations.
Attack Vector
The attack is network-based and requires user interaction from an authenticated administrator. An attacker would typically:
- Craft a malicious HTML page containing a hidden form or JavaScript that automatically submits a request to the vulnerable Backwp plugin endpoint
- Include path traversal sequences in the file parameter to target files outside the intended directory
- Distribute the malicious link via phishing, social engineering, or by compromising a website the administrator might visit
- When the administrator visits the malicious page while authenticated to their WordPress site, the forged request is executed with their privileges
The vulnerability results in arbitrary file deletion capabilities without changing the scope of the attack, though the availability impact is significant as critical system files could be removed.
Detection Methods for CVE-2025-28954
Indicators of Compromise
- Unexpected HTTP requests to Backwp plugin endpoints containing path traversal sequences (../) in file parameters
- Missing critical WordPress core files or configuration files without administrative action
- Web server access logs showing requests to Backwp endpoints with unusual referrer headers from external domains
- WordPress error logs indicating file not found errors for previously existing files
Detection Strategies
- Monitor web server access logs for requests containing directory traversal patterns (../, ..%2f, %2e%2e/) targeting Backwp plugin endpoints
- Implement file integrity monitoring to detect unauthorized deletion of WordPress core files, plugin files, or configuration files
- Review HTTP referrer headers for administrative plugin actions to identify requests originating from external or untrusted domains
- Deploy Web Application Firewall (WAF) rules to detect and block CSRF attacks and path traversal attempts
Monitoring Recommendations
- Enable comprehensive logging for the Backwp plugin and monitor for file deletion operations
- Configure alerts for any changes to critical WordPress files including wp-config.php, core files in wp-includes/, and database files
- Implement real-time monitoring of the WordPress filesystem to detect unexpected file deletions
- Review administrator activity logs regularly for any unusual file management actions
How to Mitigate CVE-2025-28954
Immediate Actions Required
- Deactivate and remove the Backwp plugin immediately if running version 2.0.2 or earlier
- Audit the WordPress filesystem for any signs of unauthorized file deletions or modifications
- Review web server access logs for any evidence of exploitation attempts targeting the Backwp plugin
- Consider implementing additional WordPress security plugins that provide CSRF protection and file integrity monitoring
Patch Information
As of the published date, the vulnerability affects Backwp versions through 2.0.2. Site administrators should check the Patchstack Vulnerability Report for the latest information on available patches and recommended versions. If no patched version is available, consider using an alternative backup plugin with proper security controls.
Workarounds
- Remove or deactivate the Backwp plugin entirely until a patched version is released
- Restrict access to the WordPress admin area by implementing IP-based access controls
- Use a Web Application Firewall (WAF) to filter requests containing path traversal patterns and enforce CSRF validation
- Implement the principle of least privilege by ensuring administrators only access the WordPress dashboard from trusted devices and networks
# Disable Backwp plugin via WP-CLI
wp plugin deactivate backwp
# Verify the plugin is deactivated
wp plugin list --status=inactive | grep backwp
# Optionally remove the plugin entirely
wp plugin delete backwp
# Check file integrity of WordPress core
wp core verify-checksums
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
