Arbitrary File Deletion Vulnerability in Database Backup Plugin for WordPress
CVE-2024-13910

7.2HIGH

Key Information:

Vendor: WordPress
Status: Database Backup And Check Tables Automated With Scheduler 2024
Vendor: CVE Published:; 1 March 2025

Summary

The Database Backup and check Tables Automated With Scheduler plugin for WordPress suffers from an arbitrary file deletion vulnerability due to inadequate file path validation in its 'database_backup_ajax_delete' function across all versions up to and including 2.35. This flaw permits authenticated users with Administrator-level access to delete any file on the server. The consequences can be severe, as deletion of critical files, such as wp-config.php, could lead to remote code execution. This vulnerability was addressed in version 2.36, but users are advised to upgrade promptly to mitigate risks.

Affected Version(s)

Database Backup and check Tables Automated With Scheduler 2024 * <= 2.36

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/database-backu...

https://plugins.trac.wordpress.org/changeset/3247917/

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 1, 2025
Vulnerability Reserved
Feb 25, 2025

Credit

Dzmitry Sviatlichny