CVE-2026-3143 Overview
CVE-2026-3143 affects the Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid. The vulnerability stems from a missing capability check on the wp_ajax_cli_cancel AJAX function in all versions up to and including 1.17.1. Unauthenticated attackers can invoke this endpoint to cancel a pending rollback. When a WordPress update fails, the plugin normally triggers an automatic revert to the prior known-good state. By cancelling that pending rollback, an attacker prevents the recovery action and can leave the site in a failed or partially updated state. The flaw is categorized as Missing Authorization [CWE-862].
Critical Impact
Unauthenticated network attackers can cancel pending rollbacks, blocking automatic recovery from failed updates and leaving WordPress installations in a broken or inconsistent state.
Affected Products
- Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
- All plugin versions up to and including 1.17.1
- WordPress sites with the boldgrid-backup plugin installed and active
Discovery Timeline
- 2026-05-01 - CVE-2026-3143 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-3143
Vulnerability Analysis
The Total Upkeep plugin registers an AJAX action handler bound to wp_ajax_cli_cancel. WordPress exposes wp_ajax_* hooks to authenticated users by default, but the plugin's registration and handler logic do not enforce a current_user_can() capability check or validate a nonce before performing the cancellation. The handler terminates a pending rollback workflow that the plugin schedules after a failed core, theme, or plugin update.
Because the integrity-affecting action runs without authorization checks, any actor able to reach the site's admin-ajax.php endpoint can suppress the automatic rollback. This breaks the safety net the plugin is designed to provide. The vulnerability does not expose data confidentiality but does affect data integrity, since the site state diverges from the intended recovered baseline.
Root Cause
The root cause is an absent authorization gate on the wp_ajax_cli_cancel handler. Per [CWE-862], the function performs a privileged state change without verifying that the caller holds the required WordPress capability. The plugin also lacks nonce validation on this entry point, removing the secondary CSRF protection. Vendor changeset 3480378 introduces the corrective check.
Attack Vector
Exploitation requires only network access to the WordPress site. The attacker sends a crafted POST request to /wp-admin/admin-ajax.php with the action parameter set to cli_cancel. No authentication, user interaction, or special privileges are required. The handler accepts the request and cancels any rollback queued by the auto-rollback subsystem implemented in class-boldgrid-backup-admin-auto-rollback.php.
For technical context, see the vendor source references: WordPress Plugin Class Code, WordPress Plugin Core Code, and the WordPress Plugin Changeset Update.
Detection Methods for CVE-2026-3143
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing action=cli_cancel from unauthenticated sessions or unexpected source IPs.
- Pending auto-rollback events that disappear from the plugin's state without an administrator-initiated cancellation in the audit log.
- WordPress core, theme, or plugin updates that remained in a failed state instead of automatically reverting.
Detection Strategies
- Inspect web server access logs for admin-ajax.php traffic carrying the cli_cancel action and correlate with WordPress authentication cookies.
- Compare plugin auto-rollback scheduling events against cancellation events in plugin logs to identify mismatches.
- Add a Web Application Firewall (WAF) rule to flag or block requests to cli_cancel that lack a valid logged-in administrator session.
Monitoring Recommendations
- Monitor outcomes of WordPress automatic update cycles and alert when expected rollbacks fail to complete.
- Track all admin-ajax.php actions tied to backup or rollback workflows and baseline normal volumes.
- Review the Wordfence Vulnerability Report for current threat intelligence on exploitation attempts.
How to Mitigate CVE-2026-3143
Immediate Actions Required
- Update the Total Upkeep plugin to a version newer than 1.17.1 that incorporates changeset 3480378.
- Audit recent WordPress update history and verify that any failed updates were properly rolled back or remediated manually.
- Restrict access to /wp-admin/admin-ajax.php from untrusted networks where feasible, using WAF or reverse proxy controls.
Patch Information
The vendor addressed the missing authorization check in WordPress Plugin Changeset Update 3480378. Site administrators should upgrade through the WordPress plugin updater or by replacing the plugin files with the patched release. Confirm the installed version is greater than 1.17.1 after upgrade.
Workarounds
- Deactivate and remove the Total Upkeep plugin until the patched version is deployed if updating is not immediately possible.
- Deploy a WAF rule that blocks unauthenticated requests where the action parameter equals cli_cancel.
- Disable WordPress automatic background updates temporarily and perform manual updates with manual backups until the plugin is patched.
# Example WAF rule fragment (ModSecurity-style) to block unauthenticated cli_cancel
SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" \
"chain,phase:2,deny,status:403,id:1026003143,msg:'Block CVE-2026-3143 cli_cancel'"
SecRule ARGS:action "@streq cli_cancel" \
"chain"
SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
