Information Disclosure Vulnerability in BackupWordPress Plugin by WordPress
CVE-2022-4931
4.3MEDIUM
What is CVE-2022-4931?
The BackupWordPress plugin for WordPress is susceptible to an information disclosure vulnerability due to inadequate authorization checks within the heartbeat_received() function. This function, which activates during the WordPress heartbeat process, allows authenticated users with subscriber-level permissions and higher to access sensitive backup paths. These paths can be exploited to download backups, potentially compromising sensitive data.
Affected Version(s)
BackUpWordPress 3.12