Skip to main content
CVE Vulnerability Database

CVE-2026-8996: WP Time Capsule Information Disclosure Flaw

CVE-2026-8996 is an information disclosure vulnerability in the Backup and Staging by WP Time Capsule WordPress plugin that allows authenticated attackers to download decrypted SQL database backups containing sensitive data.

Published:

CVE-2026-8996 Overview

CVE-2026-8996 is a sensitive information exposure vulnerability affecting the Backup and Staging by WP Time Capsule plugin for WordPress. The flaw impacts all versions up to and including 1.22.26. Authenticated attackers with subscriber-level access or above can invoke the download_recent_decrypted_file_wptc function to retrieve the most recently admin-decrypted SQL database backup. The exposed file typically contains WordPress password hashes, user credentials, and site configuration data referenced by the recent_decrypted_file option. The issue is categorized under [CWE-862] Missing Authorization.

Critical Impact

Low-privileged authenticated users can download decrypted SQL backups containing password hashes and credentials, enabling credential theft and follow-on account takeover.

Affected Products

  • Backup and Staging by WP Time Capsule plugin for WordPress — all versions through 1.22.26
  • WordPress sites where an administrator previously performed a decrypt action, leaving a decrypted SQL file in the plugin upload directory
  • Deployments allowing subscriber-level or higher registration on the affected site

Discovery Timeline

  • 2026-07-09 - CVE-2026-8996 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-8996

Vulnerability Analysis

The vulnerability resides in the download_recent_decrypted_file_wptc handler exposed by the WP Time Capsule plugin. The handler serves the file path recorded in the recent_decrypted_file WordPress option without verifying that the caller holds administrative privileges. Any authenticated user, including a subscriber, can trigger the download path once an administrator has decrypted a backup. The served artifact is a SQL dump containing the full WordPress database state at backup time.

Because SQL backups embed the wp_users and wp_usermeta tables, an attacker obtains hashed passwords, email addresses, session tokens stored in usermeta, secret keys persisted in wp_options, and any application-specific credential material. Offline cracking of the phpass hashes and reuse of API tokens can escalate the incident to full site compromise.

Root Cause

The plugin's download endpoint (see Views/wptc-download-file.php line 23 and wp-time-capsule.php lines 410 and 3764) performs no capability check before streaming the decrypted backup. The action is registered against the standard WordPress AJAX or admin-post interface, which authenticates any logged-in user by default. The absence of a current_user_can('manage_options') check, along with no nonce validation tied to the download action, permits horizontal and vertical access to a sensitive file.

Attack Vector

An attacker registers or obtains a subscriber-level account on a target WordPress site running a vulnerable version. After authenticating, the attacker issues an HTTP request to the plugin action download_recent_decrypted_file_wptc. If an administrator has previously decrypted a backup, the server responds with the SQL file contents. The attacker then parses wp_users rows, extracts hashes, and cracks or replays credentials against /wp-login.php or the REST API. No file exists to serve when no prior admin decrypt action has occurred, which is the only precondition limiting exploitation.

Detection Methods for CVE-2026-8996

Indicators of Compromise

  • HTTP requests from low-privileged accounts to admin-ajax.php or admin-post.php referencing the action download_recent_decrypted_file_wptc.
  • Unexpected outbound transfers of .sql files sized consistent with the WordPress database from /wp-content/uploads/ paths associated with WP Time Capsule.
  • Presence of a populated recent_decrypted_file value in wp_options combined with access log entries from non-administrator user IDs.
  • Post-incident login attempts using credentials that match hashes present in wp_users, especially from previously unseen IP addresses.

Detection Strategies

  • Alert on any authenticated request to the download_recent_decrypted_file_wptc action where the session cookie belongs to a role below administrator.
  • Monitor web server access logs for GET or POST requests returning Content-Type: application/sql or application/octet-stream from plugin directories.
  • Correlate WordPress audit log events showing subscriber logins with subsequent downloads from /wp-content/uploads/wp-time-capsule-* paths.

Monitoring Recommendations

  • Enable a WordPress activity log plugin to record AJAX action invocations and user role at the time of the request.
  • Forward web server and WordPress audit logs to a centralized platform and retain HTTP request URIs, response sizes, and authenticated user IDs.
  • Baseline normal administrative use of WP Time Capsule and alert on any download-file endpoint activity outside the administrator role.

How to Mitigate CVE-2026-8996

Immediate Actions Required

  • Update the Backup and Staging by WP Time Capsule plugin to a version released after 1.22.26 that includes the authorization fix documented in the WordPress plugin changeset.
  • Delete any residual decrypted SQL backups from the plugin's upload directory and clear the recent_decrypted_file value in wp_options.
  • Force a password reset for all WordPress accounts and rotate any API keys, secret salts, and third-party tokens stored in the database.
  • Review user registration settings and remove unnecessary subscriber accounts that could be leveraged for exploitation.

Patch Information

The vendor addressed the missing authorization check in a release published after 1.22.26. Refer to the Wordfence Vulnerability Report for confirmation of the fixed version and to the WordPress plugin source for the corrected handler implementation.

Workarounds

  • Disable the WP Time Capsule plugin until the patched version is deployed if immediate updating is not possible.
  • Block requests to the download_recent_decrypted_file_wptc action at the web application firewall or reverse proxy layer.
  • Restrict WordPress registration to trusted users only by setting Anyone can register to disabled under Settings → General.
  • Enforce administrator workflows that avoid leaving decrypted backups on disk, and remove decrypted files immediately after operational use.
bash
# Example WAF rule fragment to block the vulnerable action for non-admin sessions
SecRule REQUEST_URI "@rx /wp-admin/admin-(ajax|post)\.php" \
  "chain,deny,status:403,id:1026899601,msg:'Block WP Time Capsule decrypted backup download'"
SecRule ARGS:action "@streq download_recent_decrypted_file_wptc"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.