Unauthorized File Access Vulnerability in Database Backup Plugin for WordPress
CVE-2026-4030

8.1HIGH

Key Information:

Vendor: WordPress
Status: Database Backup For WordPress
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-4030?

The Database Backup for WordPress plugin is susceptible to unauthorized arbitrary file read and deletion due to improper enforcement of authorization checks. This vulnerability affects all versions up to and including 2.5.2. Attackers with malicious intent can exploit a user-controlled backup directory parameter to access and delete server files. This vulnerability poses significant risks, especially in WordPress Multisite environments, as it could lead to sensitive information exposure and potential site takeover.

Affected Version(s)

Database Backup for WordPress 0 <= 2.5.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-db-backup/t...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Mar 12, 2026

Credit

Drew Webber

CVE-2026-4030 Data

JSON