Server-Side Request Forgery in Total Upkeep Plugin by BoldGrid for WordPress
CVE-2024-13907

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Total Upkeep – WordPress Backup Plugin Plus Restore & Migrate By Boldgrid
Vendor: CVE Published:; 27 February 2025

What is CVE-2024-13907?

The Total Upkeep – WordPress Backup Plugin, developed by BoldGrid, is susceptible to Server-Side Request Forgery in all versions through 1.16.8. This vulnerability allows authenticated users with Administrator-level access to exploit the 'download' function, enabling them to send web requests to arbitrary destinations. This could potentially allow attackers to access and manipulate information from internal services, leading to unauthorized actions.

Affected Version(s)

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid * <= 1.16.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/boldgrid-backu...

https://plugins.trac.wordpress.org/changeset/3246655/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 27, 2025
Vulnerability Reserved
Feb 24, 2025

Credit

ngosytuan & quyetnt