BackWPup plugin for WordPress allows attackers to access sensitive files

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.2

BackWPup plugin for WordPress allows attackers to access sensitive files

CVE-2026-6227

Summary

The BackWPup plugin for WordPress has a security flaw that lets attackers with administrator access view sensitive files or take control of the server. This issue affects all versions of the plugin up to 5.6.6. To stay safe, update the plugin to a fixed version as soon as possible.

Original title

Original description

The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to include arbitrary PHP files on the server via crafted traversal sequences (e.g., `....//`), which can be leveraged to read sensitive files such as `wp-config.php` or achieve remote code execution in certain configurations. Administrators have the ability to grant individual users permission to handle backups, which may then allow lower-level users to exploit this vulnerability.

nvd CVSS3.1 7.2

Vulnerability type

CWE-22 Path Traversal

Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026