CVE-2026-1311 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: February 26, 2026
Worry Proof Backup WordPress plugin - Path Traversal & Remote Code Execution
Published: February 26, 2026Updated: February 26, 2026Remote Exploitable
Overview
Worry Proof Backup WordPress plugin <= 0.2.4 contains a path traversal vulnerability in backup upload functionality, letting authenticated attackers with Subscriber-level access upload malicious ZIP archives to write arbitrary files, including executable PHP, leading to remote code execution.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Authenticated attackers can upload malicious files to execute arbitrary code, potentially compromising the entire server.
Mitigation
Update to the latest version of Worry Proof Backup plugin.
References
- https://plugins.trac.wordpress.org/browser/worry-proof-backup/trunk/inc/libs/upload-backup.php#L97
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3ffd6ce0-2536-43a5-9925-438bc653d0e5?source=cve
- https://plugins.trac.wordpress.org/browser/worry-proof-backup/tags/0.2.4/inc/libs/upload-backup.php#L97
Related Resources
Details
- CVE ID
- CVE-2026-1311
- Severity
- High
- CVSS Score
- 8.8
- Type
- path_traversal
- Status
- new
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H