Arbitrary File Download and Backup Write Vulnerability in Backup Bolt Plugin for WordPress
CVE-2025-10306

3.8LOW

Key Information:

Vendor: WordPress
Status: Backup Bolt
Vendor: CVE Published:; 3 October 2025

What is CVE-2025-10306?

The Backup Bolt plugin for WordPress is susceptible to vulnerabilities that allow attackers with Administrator-level access or higher to perform arbitrary file downloads. Specifically, attackers can exploit the process_backup_batch() function to access directories outside the webroot and write backup zip files to unauthorized locations, posing significant risks to site security.

Affected Version(s)

Backup Bolt * <= 1.4.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/backup-bolt/

CVSS V3.1

Score:

3.8

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 3, 2025
Vulnerability Reserved
Sep 11, 2025

Credit

Jonas Benjamin Friedli

JSON