CVE-2026-6227 - Vulnerability Analysis
HighCVSS: 7.2Last Updated: April 14, 2026
BackWPup WordPress Plugin - Local File Inclusion
Published: April 14, 2026Updated: April 14, 2026PoC AvailableRemote Exploitable
Overview
BackWPup WordPress plugin <= 5.6.6 contains a local file inclusion caused by insufficient sanitization of path traversal sequences in the block_name parameter of /wp-json/backwpup/v1/getblock, letting authenticated administrators include arbitrary PHP files, exploit requires administrator-level access.
Severity & Score
Severity: High
CVSS Score: 7.2
Impact
Authenticated administrators can include arbitrary PHP files, potentially leading to sensitive file disclosure or remote code execution.
Mitigation
Update to a version later than 5.6.6 or the latest available version.
References
- https://plugins.trac.wordpress.org/browser/backwpup/tags/5.6.5/inc/Utils/BackWPupHelpers.php#L23
- https://plugins.trac.wordpress.org/browser/backwpup/tags/5.6.5/inc/Utils/BackWPupHelpers.php#L40
- https://plugins.trac.wordpress.org/browser/backwpup/tags/5.6.5/src/Frontend/API/Rest.php#L52
- https://plugins.trac.wordpress.org/browser/backwpup/trunk/inc/Utils/BackWPupHelpers.php#L23
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3490642%40backwpup%2Ftrunk&old=3475739%40backwpup%2Ftrunk&sfp_email=&sfph_mail=#file26
- https://www.wordfence.com/threat-intel/vulnerabilities/id/084e3f78-275b-4692-9cce-e17074f55cfb?source=cve
Related Resources
Details
- CVE ID
- CVE-2026-6227
- Severity
- High
- CVSS Score
- 7.2
- Type
- file_inclusion
- Status
- new
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H