OS Command Injection in WP Database Backup Plugin by Backup for WP
CVE-2026-9834
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 2 July 2026
What is CVE-2026-9834?
The WP Database Backup β Unlimited Database & Files Backup plugin for WordPress contains a vulnerability allowing OS Command Injection due to improper sanitation of user input. Specifically, maliciously crafted values can be injected through the wp_db_exclude_table parameter, leading to potential arbitrary command execution on the server. Authenticated users with administrator-level privileges can exploit this flaw by submitting harmful values, which are subsequently stored in the WordPress options table, and then executed unsanitized during backup operations. This vulnerability arises because user-supplied values are concatenated directly into the shell command used in mysqldump, compromising the security of the system.
Affected Version(s)
WP Database Backup β Unlimited Database & Files Backup by Backup for WP 0 <= 7.11