Arbitrary File Deletion Vulnerability in CYAN Backup Plugin for WordPress
CVE-2025-12092

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Cyan Backup
Vendor: CVE Published:; 8 November 2025

What is CVE-2025-12092?

The CYAN Backup plugin for WordPress is affected by an arbitrary file deletion vulnerability due to inadequate file path validation in the delete functionality. This issue allows authenticated attackers with Administrator-level access to delete any file on the server, increasing the risk of remote code execution if critical files, like wp-config.php, are removed. It is crucial for site administrators to update to the latest version or apply the necessary patches to safeguard their sites against potential exploitation.

Affected Version(s)

CYAN Backup * <= 2.5.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3390065/cyan...

https://github.com/toolstack/cyan-backup/commit/4a79d23e8...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 8, 2025
Vulnerability Reserved
Oct 22, 2025

Credit

Quy Nguyen

JSON