CVE-2026-8996 Overview
CVE-2026-8996 is a sensitive information exposure vulnerability affecting the Backup and Staging by WP Time Capsule plugin for WordPress. The flaw impacts all versions up to and including 1.22.26. Authenticated attackers with subscriber-level access or above can invoke the download_recent_decrypted_file_wptc function to retrieve the most recently admin-decrypted SQL database backup. The exposed file typically contains WordPress password hashes, user credentials, and site configuration data referenced by the recent_decrypted_file option. The issue is categorized under [CWE-862] Missing Authorization.
Critical Impact
Low-privileged authenticated users can download decrypted SQL backups containing password hashes and credentials, enabling credential theft and follow-on account takeover.
Affected Products
- Backup and Staging by WP Time Capsule plugin for WordPress — all versions through 1.22.26
- WordPress sites where an administrator previously performed a decrypt action, leaving a decrypted SQL file in the plugin upload directory
- Deployments allowing subscriber-level or higher registration on the affected site
Discovery Timeline
- 2026-07-09 - CVE-2026-8996 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-8996
Vulnerability Analysis
The vulnerability resides in the download_recent_decrypted_file_wptc handler exposed by the WP Time Capsule plugin. The handler serves the file path recorded in the recent_decrypted_file WordPress option without verifying that the caller holds administrative privileges. Any authenticated user, including a subscriber, can trigger the download path once an administrator has decrypted a backup. The served artifact is a SQL dump containing the full WordPress database state at backup time.
Because SQL backups embed the wp_users and wp_usermeta tables, an attacker obtains hashed passwords, email addresses, session tokens stored in usermeta, secret keys persisted in wp_options, and any application-specific credential material. Offline cracking of the phpass hashes and reuse of API tokens can escalate the incident to full site compromise.
Root Cause
The plugin's download endpoint (see Views/wptc-download-file.php line 23 and wp-time-capsule.php lines 410 and 3764) performs no capability check before streaming the decrypted backup. The action is registered against the standard WordPress AJAX or admin-post interface, which authenticates any logged-in user by default. The absence of a current_user_can('manage_options') check, along with no nonce validation tied to the download action, permits horizontal and vertical access to a sensitive file.
Attack Vector
An attacker registers or obtains a subscriber-level account on a target WordPress site running a vulnerable version. After authenticating, the attacker issues an HTTP request to the plugin action download_recent_decrypted_file_wptc. If an administrator has previously decrypted a backup, the server responds with the SQL file contents. The attacker then parses wp_users rows, extracts hashes, and cracks or replays credentials against /wp-login.php or the REST API. No file exists to serve when no prior admin decrypt action has occurred, which is the only precondition limiting exploitation.
Detection Methods for CVE-2026-8996
Indicators of Compromise
- HTTP requests from low-privileged accounts to admin-ajax.php or admin-post.php referencing the action download_recent_decrypted_file_wptc.
- Unexpected outbound transfers of .sql files sized consistent with the WordPress database from /wp-content/uploads/ paths associated with WP Time Capsule.
- Presence of a populated recent_decrypted_file value in wp_options combined with access log entries from non-administrator user IDs.
- Post-incident login attempts using credentials that match hashes present in wp_users, especially from previously unseen IP addresses.
Detection Strategies
- Alert on any authenticated request to the download_recent_decrypted_file_wptc action where the session cookie belongs to a role below administrator.
- Monitor web server access logs for GET or POST requests returning Content-Type: application/sql or application/octet-stream from plugin directories.
- Correlate WordPress audit log events showing subscriber logins with subsequent downloads from /wp-content/uploads/wp-time-capsule-* paths.
Monitoring Recommendations
- Enable a WordPress activity log plugin to record AJAX action invocations and user role at the time of the request.
- Forward web server and WordPress audit logs to a centralized platform and retain HTTP request URIs, response sizes, and authenticated user IDs.
- Baseline normal administrative use of WP Time Capsule and alert on any download-file endpoint activity outside the administrator role.
How to Mitigate CVE-2026-8996
Immediate Actions Required
- Update the Backup and Staging by WP Time Capsule plugin to a version released after 1.22.26 that includes the authorization fix documented in the WordPress plugin changeset.
- Delete any residual decrypted SQL backups from the plugin's upload directory and clear the recent_decrypted_file value in wp_options.
- Force a password reset for all WordPress accounts and rotate any API keys, secret salts, and third-party tokens stored in the database.
- Review user registration settings and remove unnecessary subscriber accounts that could be leveraged for exploitation.
Patch Information
The vendor addressed the missing authorization check in a release published after 1.22.26. Refer to the Wordfence Vulnerability Report for confirmation of the fixed version and to the WordPress plugin source for the corrected handler implementation.
Workarounds
- Disable the WP Time Capsule plugin until the patched version is deployed if immediate updating is not possible.
- Block requests to the download_recent_decrypted_file_wptc action at the web application firewall or reverse proxy layer.
- Restrict WordPress registration to trusted users only by setting Anyone can register to disabled under Settings → General.
- Enforce administrator workflows that avoid leaving decrypted backups on disk, and remove decrypted files immediately after operational use.
# Example WAF rule fragment to block the vulnerable action for non-admin sessions
SecRule REQUEST_URI "@rx /wp-admin/admin-(ajax|post)\.php" \
"chain,deny,status:403,id:1026899601,msg:'Block WP Time Capsule decrypted backup download'"
SecRule ARGS:action "@streq download_recent_decrypted_file_wptc"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

