Volerion logoVolerion
Volerion logoVolerion

Backuply WordPress Plugin Arbitrary File Deletion Vulnerability

Vulnerability

A vulnerability allowing arbitrary file deletion has been identified in the Backuply – Backup, Restore, Migrate and Clone plugin for WordPress, affecting all versions through 1.4.8. This issue arises from inadequate validation of file paths in the backup deletion feature. As a result, authenticated attackers with Administrator-level access can delete arbitrary files on the server. Deleting certain files, such as wp-config.php, could lead to remote code execution.

Impact

Exploitation of this vulnerability could result in unauthorized deletion of files on the server, with the potential for remote code execution if a critical file is removed.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator-level access can use the plugin's backup deletion feature. The vulnerability can be exploited by sending a request to delete a backup file while bypassing the file path validation, allowing for the deletion of arbitrary files on the server.

Remediation

Users are advised to update the Backuply WordPress plugin to version 1.4.9 or later.

Added: Sep 26, 2025, 7:24 AM
Updated: Sep 26, 2025, 3:52 PM

Vulnerability Rating

Custom Algorithm
spread
1.0
impact
10.0
exploitability
6.0
remediation
7.7
relevance
0.6
threat
4.9
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.