WPRecovery Plugin CVE-2025-10726: SQL Injection and Arbitrary File Deletion – Brief Summary and Technical Review

This post provides a brief summary and technical review of CVE-2025-10726, a critical SQL injection and arbitrary file deletion vulnerability in the WPRecovery WordPress plugin up to and including version 2.0. It covers technical details, affected versions, and vendor security context based on available public information.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-03

WPRecovery Plugin CVE-2025-10726: SQL Injection and Arbitrary File Deletion – Brief Summary and Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can extract sensitive WordPress database contents and delete arbitrary files on the server without authentication by exploiting a critical flaw in the WPRecovery plugin. This vulnerability, tracked as CVE-2025-10726, affects all WPRecovery versions up to and including 2.0 and exposes WordPress sites to data theft and destructive attacks.

WPRecovery is a WordPress backup and recovery management plugin developed by quantumrose and distributed via Common Ninja. While not among the most widely deployed backup plugins, it is designed to provide one-click restoration and backup management for WordPress sites. The plugin is currently in beta and has a limited maintenance and update history.

Technical Information

CVE-2025-10726 is a critical SQL injection vulnerability that arises from improper handling of the data[id] parameter in the WPRecovery plugin. All versions up to and including 2.0 are affected. The vulnerable code path is present in the plugin's backup deletion logic, specifically in files such as delete_backup.php and related SQL query construction routines.

The root cause is the direct insertion of user-supplied data[id] input into SQL queries without sufficient escaping or use of prepared statements. This allows unauthenticated attackers to inject arbitrary SQL commands. The result of the SQL query is then passed directly to PHP's unlink() function, which is used to delete files from the server. By manipulating the SQL injection payload, attackers can control the file path argument to unlink(), enabling deletion of any file the web server process can access.

Relevant public code references:

No patch or official fix is available as of publication. The vulnerability is unauthenticated and can be exploited remotely.

Affected Systems and Versions

  • Product: WPRecovery WordPress plugin
  • Versions affected: All versions up to and including 2.0
  • Vulnerable configuration: Any WordPress installation with WPRecovery plugin version 2.0 or earlier enabled

Vendor Security History

WPRecovery is developed by quantumrose and distributed via Common Ninja. The plugin is in beta and has a limited maintenance and update history. There are no prior high-profile vulnerabilities documented for this plugin. The lack of a patch and the beta status indicate a low level of security maturity and responsiveness.

References

Detect & fix
what others miss