Local File Inclusion Vulnerability in BackWPup Plugin for WordPress by BackWPup
CVE-2026-6227

7.2HIGH

Key Information:

Vendor: WordPress
Status: BackWPup – WordPress Backup & Restore Plugin
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-6227?

The BackWPup plugin for WordPress is subjected to a Local File Inclusion vulnerability that arises from improper sanitization of user inputs. Specifically, within the /wp-json/backwpup/v1/getblock REST endpoint, the block_name parameter does not adequately handle path traversal sequences, leading to potential inclusion of arbitrary PHP files on the server. This flaw allows authenticated users with Administrator permissions to exploit crafted traversal sequences (e.g., ....//), which may enable them to read sensitive files like wp-config.php or, under certain conditions, execute remote code. This vulnerability is particularly concerning as it can be exploited through misconfigured user permissions, compromising the security of WordPress sites.

Affected Version(s)

BackWPup – WordPress Backup & Restore Plugin 0 <= 5.6.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/backwpup/tags/...

https://plugins.trac.wordpress.org/browser/backwpup/trunk...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Apr 13, 2026

Credit

JOAO PEDRO VENTURA ALVES

CVE-2026-6227 Data

JSON