CVE-2026-42760 Overview
CVE-2026-42760 is an authentication bypass vulnerability in the Backup and Staging by WP Time Capsule WordPress plugin developed by revmakx. The flaw [CWE-288] allows attackers to bypass authentication through an alternate path tied to the password recovery workflow. All plugin versions up to and including 1.22.25 are affected. Remote unauthenticated attackers can exploit this issue over the network without user interaction. Successful exploitation results in unauthorized account access, exposing confidential data stored within affected WordPress sites.
Critical Impact
Unauthenticated remote attackers can bypass authentication on WordPress sites running vulnerable versions of the WP Time Capsule plugin and gain access to protected accounts via password recovery exploitation.
Affected Products
- revmakx Backup and Staging by WP Time Capsule (wp-time-capsule)
- All versions from initial release through 1.22.25
- WordPress sites with the plugin installed and active
Discovery Timeline
- 2026-05-27 - CVE-2026-42760 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-42760
Vulnerability Analysis
The vulnerability resides in the password recovery functionality of the WP Time Capsule plugin. An attacker can reach an authenticated state without supplying valid credentials by abusing the recovery channel. The flaw is classified under [CWE-288] — Authentication Bypass Using an Alternate Path or Channel. The attack requires no privileges and no user interaction, and it is delivered over the network. While the integrity and availability of the host system remain intact, the confidentiality impact is significant because adversaries gain access to account data and any backup or staging information the plugin manages.
Root Cause
The root cause is improper enforcement of authentication checks in the plugin's password recovery flow. The recovery channel does not adequately verify the requesting party, allowing it to be used as an alternate authentication path. This design weakness permits attackers to obtain session access or password reset capabilities outside the standard login process.
Attack Vector
The attack vector is network-based. An unauthenticated remote attacker sends crafted requests to the password recovery endpoint exposed by the plugin. Because the alternate path does not validate identity correctly, the attacker can trigger account takeover against the targeted WordPress installation. The Patchstack advisory referenced under External References provides the technical specifics.
No verified proof-of-concept code is available at the time of publication. See the Patchstack Vulnerability Report for additional technical context.
Detection Methods for CVE-2026-42760
Indicators of Compromise
- Unexpected password reset requests targeting administrator accounts in WordPress logs
- Successful authentication events not preceded by a corresponding valid login attempt
- HTTP requests to WP Time Capsule plugin endpoints from unknown external IP addresses
- New or modified administrator accounts following access to the recovery workflow
Detection Strategies
- Audit WordPress access logs for requests to plugin paths under wp-content/plugins/wp-time-capsule/
- Correlate password reset events with subsequent login activity from new IP addresses or user agents
- Identify version 1.22.25 or earlier of the plugin during asset inventory scans
Monitoring Recommendations
- Forward WordPress and web server logs to a centralized analytics platform for query and correlation
- Alert on bursts of password recovery attempts against single accounts within short intervals
- Track plugin version inventories across WordPress hosts to identify unpatched installations
How to Mitigate CVE-2026-42760
Immediate Actions Required
- Identify all WordPress installations running the Backup and Staging by WP Time Capsule plugin
- Update the plugin to a version newer than 1.22.25 as soon as a fixed release is available
- Reset passwords for all WordPress administrator accounts on previously vulnerable sites
- Review recent password reset and login events for signs of unauthorized access
Patch Information
Refer to the Patchstack Vulnerability Report for current patch availability and vendor guidance. The advisory tracks affected versions up to 1.22.25 and will be updated as remediation details are released.
Workarounds
- Deactivate the wp-time-capsule plugin until a patched version is installed
- Restrict access to WordPress administrative endpoints using IP allowlisting at the web server or WAF layer
- Enforce multi-factor authentication for all WordPress administrator accounts to reduce account takeover risk
# Configuration example: block external access to the plugin path via nginx
location ~* /wp-content/plugins/wp-time-capsule/ {
allow 10.0.0.0/8;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
