CVE-2025-5396 Overview
CVE-2025-5396 is a critical Remote Code Execution (RCE) vulnerability in the Bears Backup plugin for WordPress affecting all versions up to and including 2.0.0. The vulnerability exists in the bbackup_ajax_handle() function, which lacks proper capability checks and fails to validate user-supplied input before passing it directly to PHP's call_user_func(). This allows unauthenticated attackers to execute arbitrary code on the server, potentially leading to complete site compromise.
Critical Impact
Unauthenticated attackers can achieve remote code execution on vulnerable WordPress installations, enabling backdoor injection, creation of rogue administrator accounts, and full server compromise without any authentication required.
Affected Products
- Bears Backup plugin for WordPress versions up to and including 2.0.0
- WordPress sites running the Alone theme versions 7.8.4 and older (when chained with CVE-2025-5394)
- Any WordPress installation with the Bears Backup plugin enabled
Discovery Timeline
- 2025-07-17 - CVE-2025-5396 published to NVD
- 2025-07-17 - Last updated in NVD database
Technical Details for CVE-2025-5396
Vulnerability Analysis
This vulnerability represents a severe security flaw stemming from multiple compounding issues within the Bears Backup plugin's AJAX handler. The bbackup_ajax_handle() function processes AJAX requests without implementing any authentication or authorization checks, meaning any visitor to the site—authenticated or not—can invoke this functionality. More critically, the function accepts user-controlled input and passes it directly to PHP's call_user_func() without any validation or sanitization.
The call_user_func() function in PHP is designed to call a callback function with a given set of parameters. When an attacker can control the arguments passed to this function, they can effectively call any PHP function available in the execution context. This bypasses the intended application logic entirely and provides direct access to dangerous system functions.
The vulnerability is classified under CWE-94 (Improper Control of Generation of Code, or Code Injection), which accurately describes the root issue: the application fails to properly neutralize or validate input that is used to dynamically construct and execute code.
Root Cause
The root cause is twofold: first, the absence of capability checks means no authentication is required to access the vulnerable function. WordPress provides robust capability and nonce verification mechanisms specifically to prevent unauthorized access to administrative functions, but these were not implemented in bbackup_ajax_handle(). Second, the direct use of user-supplied input in call_user_func() without any form of input validation or allowlist checking allows attackers to specify arbitrary functions to execute.
Attack Vector
The attack is network-based and can be executed remotely without any authentication. An attacker sends a specially crafted AJAX request to the WordPress site targeting the Bears Backup plugin's handler endpoint. By manipulating the parameters in this request, the attacker controls which function is called via call_user_func() and with what arguments.
On WordPress sites also running the Alone theme (versions 7.8.4 and older), this vulnerability can be chained with CVE-2025-5394 to first install the Bears Backup plugin if it's not already present, and then exploit CVE-2025-5396 to achieve code execution. This attack chain significantly expands the potential attack surface to include sites that may not have the vulnerable plugin installed but are running the affected theme.
Successful exploitation enables attackers to inject persistent backdoors into the WordPress installation, create new administrator accounts for ongoing access, modify site content, exfiltrate sensitive data including database credentials, or pivot to attack other systems accessible from the web server.
Detection Methods for CVE-2025-5396
Indicators of Compromise
- Unexpected administrator accounts appearing in WordPress user management
- Unfamiliar PHP files in WordPress directories, particularly in wp-content/uploads/ or plugin directories
- Unusual outbound network connections from the web server
- Modified .htaccess files or unexpected rewrites
- Web server logs showing unusual POST requests to WordPress AJAX endpoints with abnormal parameters
Detection Strategies
- Monitor WordPress AJAX endpoint (/wp-admin/admin-ajax.php) for requests containing Bears Backup actions with suspicious function names or parameters
- Implement file integrity monitoring on WordPress core files and plugin directories to detect unauthorized modifications
- Review user account creation logs for administrator accounts created outside normal administrative processes
- Deploy Web Application Firewall (WAF) rules to detect and block code injection patterns in AJAX requests
Monitoring Recommendations
- Enable comprehensive logging for all WordPress AJAX requests and audit for anomalous patterns
- Configure alerts for new administrator account creation events
- Implement real-time file system monitoring with hash verification for critical WordPress files
- Monitor server process execution for unexpected PHP child processes or system command invocations
How to Mitigate CVE-2025-5396
Immediate Actions Required
- Immediately disable or remove the Bears Backup plugin if running version 2.0.0 or earlier
- Audit WordPress user accounts for any unauthorized administrator accounts and remove them
- Scan the WordPress installation for backdoors or unauthorized file modifications
- If running the Alone theme version 7.8.4 or older, update or disable the theme to prevent the CVE-2025-5394 attack chain
- Review server and application logs for evidence of exploitation
Patch Information
At the time of publication, organizations should consult the Wordfence Vulnerability Report for the latest remediation guidance and patch availability. If a patched version becomes available, upgrade immediately after verifying the patch addresses the vulnerability.
Workarounds
- Remove or deactivate the Bears Backup plugin entirely until a secure version is released
- Implement Web Application Firewall rules to block malicious AJAX requests targeting the plugin's endpoints
- Restrict access to WordPress admin-ajax.php using server-level access controls if plugin removal is not immediately possible
- Apply network segmentation to limit the impact of potential server compromise
- Consider using alternative backup solutions that have undergone security audits
# Disable Bears Backup plugin via WP-CLI
wp plugin deactivate bears-backup --path=/var/www/wordpress
# Verify no unauthorized admin users exist
wp user list --role=administrator --path=/var/www/wordpress
# Check for recently modified files in plugin directories
find /var/www/wordpress/wp-content/plugins -type f -mtime -7 -name "*.php"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
