Sensitive Information Exposure in WP Time Capsule Plugin by WP Time Capsule
CVE-2026-8996
6.5MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-8996?
The Backup and Staging by WP Time Capsule plugin for WordPress is at risk of exposing sensitive information. The vulnerability allows authenticated attackers, with subscriber-level access or higher, to download the most recent admin-decrypted SQL database backup. This backup often includes sensitive data such as password hashes and user credentials. Exploitation of this flaw requires an administrator to have previously decrypted the database backup, resulting in the file being stored in the plugin's upload directory. If the admin action has not occurred, the attack is not feasible.
Affected Version(s)
Backup and Staging by WP Time Capsule 0 <= 1.22.26