CVE-2019-25224

Exploit

EPSS 16.68%
Veröffentlicht 25.07.2025 03:15:32
Zuletzt bearbeitet 11.08.2025 18:57:45
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

WP Database Backup < 5.2 - Unauthenticated OS Command Injection

The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system.

Mögliche Gegenmaßnahme

WP Database Backup – Unlimited Database & Files Backup by Backup for WP: Update to version 5.2, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wpseeds ≫ Wp Database Backup SwPlatformwordpress Version < 5.2

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Version [*, 5.2)

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	16.68%	0.966

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://blog.sucuri.net/2019/06/os-command-injection-in-wp-database-backup.html

Third Party Advisory

Exploit

https://packetstormsecurity.com/files/153781/

Third Party Advisory

Exploit

https://plugins.trac.wordpress.org/changeset/2078035/wp-database-backup

Patch

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/wp_db_backup_rce.rb

Exploit

https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/d21cf285-9d75-43a2-9e81-67116f0bf896?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/d21cf285-9d75-43a2-9e81-67116f0bf896

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-25224

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-25224

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-25224

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2019-25224