CVE-2025-9993 Overview
CVE-2025-9993 is a Local File Inclusion (LFI) vulnerability in the Bei Fen – WordPress Backup Plugin for WordPress. The flaw exists in all versions up to and including 1.4.2 and is reachable through the task parameter. Authenticated users with Subscriber-level access or higher can include and execute arbitrary .php files on the server. The vulnerability only impacts sites running PHP 7.1 or older, where unrestricted file inclusion behavior allows the attack to succeed. Successful exploitation enables access control bypass, disclosure of sensitive data, and arbitrary PHP code execution when attackers can write .php content to a known path.
Critical Impact
Authenticated Subscriber-level attackers can execute arbitrary PHP code on vulnerable WordPress sites running PHP 7.1 or older.
Affected Products
- Bei Fen – WordPress Backup Plugin versions up to and including 1.4.2
- WordPress installations using the affected plugin with PHP 7.1 or older
- Sites where Subscriber-level or higher accounts can register or authenticate
Discovery Timeline
- 2025-09-30 - CVE-2025-9993 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-9993
Vulnerability Analysis
The vulnerability is classified as [CWE-98] Improper Control of Filename for Include/Require Statement in PHP Program. The plugin accepts a task parameter and uses it to construct a file path that is passed to a PHP include or require statement without adequate sanitization. Authenticated attackers can manipulate task to reference attacker-controlled .php files on the server. When PHP 7.1 or older processes the include, the referenced file executes within the WordPress process context. The attack is limited to PHP 7.1 and earlier because newer PHP versions and allow_url_include defaults restrict the inclusion behavior the plugin relies on.
Root Cause
The root cause is unsanitized user input flowing into a PHP file inclusion call inside beifen.php. The plugin does not validate that the task value resolves to an expected file within an allowlisted directory. It also fails to enforce capability checks that would limit the endpoint to administrators. Subscriber-level authentication is sufficient to reach the vulnerable code path.
Attack Vector
An attacker first obtains a Subscriber-level account on the target WordPress site, either through open registration or credential compromise. The attacker then issues an authenticated request to the plugin endpoint with a crafted task parameter that references a .php file already present on the filesystem. If the attacker can also upload .php content through any other plugin, media handler, or log injection vector, the included file executes attacker-supplied code with the privileges of the web server user. See the Wordfence Vulnerability Analysis and the affected source in the WordPress Plugin Code for the exact sink location.
Detection Methods for CVE-2025-9993
Indicators of Compromise
- HTTP requests to WordPress admin-ajax or plugin handlers containing a task parameter with path traversal sequences such as ../ or absolute paths ending in .php
- Unexpected PHP execution originating from uploads, log files, or session storage directories
- New Subscriber accounts created shortly before suspicious plugin requests
- Outbound network connections from the web server process following plugin requests
Detection Strategies
- Inspect WordPress access logs for requests to plugin endpoints in /wp-content/plugins/bei-fen/ that include a task parameter with non-standard values
- Correlate authenticated low-privilege user sessions with subsequent file inclusion patterns in webserver logs
- Enable PHP error logging and watch for include, require, or file not found warnings referencing user-controlled paths
- Hash and baseline plugin files in /wp-content/plugins/bei-fen/ to identify tampering
Monitoring Recommendations
- Alert on creation of new .php files in writable WordPress directories such as wp-content/uploads/
- Monitor the PHP version of WordPress hosts and flag any running PHP 7.1 or older as elevated risk
- Track Subscriber account creation rate against historical baselines for sudden spikes
How to Mitigate CVE-2025-9993
Immediate Actions Required
- Disable or remove the Bei Fen – WordPress Backup Plugin until a patched version is confirmed available
- Upgrade PHP to a supported version (PHP 7.4 or later, ideally 8.x) to eliminate the precondition for exploitation
- Audit existing user accounts and disable open user registration if it is not required
- Rotate WordPress administrative credentials and review the filesystem for unauthorized .php files
Patch Information
No vendor patch is referenced in the NVD entry as of the last modified date 2026-04-15. Review the WordPress Plugin Code repository and the Wordfence Vulnerability Analysis for the latest remediation status before re-enabling the plugin.
Workarounds
- Restrict access to plugin endpoints at the web server or web application firewall (WAF) layer using path and parameter rules
- Set PHP open_basedir to limit file inclusion to specific directories outside of writable upload paths
- Block requests containing ../ or absolute paths in the task parameter at the WAF
- Remove Subscriber self-registration where business requirements permit
# Example: disable open registration via wp-config or WP-CLI
wp option update users_can_register 0
# Example: nginx rule to block path traversal in the task parameter
if ($args ~* "task=.*\.\./") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
