Unauthorized Data Access Vulnerability in Everest Backup WordPress Plugin
CVE-2025-11380

5.9MEDIUM

Key Information:

Vendor: WordPress
Status: Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin
Vendor: CVE Published:; 11 October 2025

What is CVE-2025-11380?

The Everest Backup plugin for WordPress contains a vulnerability that allows unauthorized users to access sensitive data due to an absence of a capability check on the 'everest_process_status' AJAX action. This flaw affects all versions up to and including 2.3.5, enabling unauthenticated attackers to uncover backup file locations, provided that backups are actively running. This can lead to significant security risks as attackers may subsequently download these files.

Affected Version(s)

Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin * <= 2.3.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 11, 2025
Vulnerability Reserved
Oct 6, 2025

Credit

Carl Pearson

JSON