Unauthorized Database Export in Database Backup Plugin for WordPress
CVE-2026-4029

7.5HIGH

Key Information:

Vendor: WordPress
Status: Database Backup For WordPress
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-4029?

The Database Backup for WordPress plugin is susceptible to unauthorized database exports due to improper enforcement of authorization checks in all versions up to and including 2.5.2. This flaw allows unauthenticated attackers to access sensitive database tables, particularly in WordPress Multisite environments where the deprecated is_site_admin() function is present. This vulnerability poses significant risks as it can lead to the exposure of confidential information stored in the database.

Affected Version(s)

Database Backup for WordPress 0 <= 2.5.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-db-backup/t...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Mar 12, 2026

Credit

Drew Webber

CVE-2026-4029 Data

JSON