Server-Side Request Forgery in Total Upkeep Plugin by BoldGrid for WordPress
CVE-2024-13907

4.9MEDIUM

Key Information:

Vendor: Boldgrid
Status: Total Upkeep – WordPress Backup Plugin Plus Restore & Migrate By Boldgrid
Vendor: CVE Published:; 27 February 2025

Summary

The Total Upkeep – WordPress Backup Plugin, developed by BoldGrid, is susceptible to Server-Side Request Forgery in all versions through 1.16.8. This vulnerability allows authenticated users with Administrator-level access to exploit the 'download' function, enabling them to send web requests to arbitrary destinations. This could potentially allow attackers to access and manipulate information from internal services, leading to unauthorized actions.

Affected Version(s)

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid * <= 1.16.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/boldgrid-backu...

https://plugins.trac.wordpress.org/changeset/3246655/

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 27, 2025
Vulnerability Reserved
Feb 24, 2025

Credit

ngosytuan & quyetnt