Introduction
Attackers can extract sensitive WordPress database contents and delete arbitrary files on the server without authentication by exploiting a critical flaw in the WPRecovery plugin. This vulnerability, tracked as CVE-2025-10726, affects all WPRecovery versions up to and including 2.0 and exposes WordPress sites to data theft and destructive attacks.
WPRecovery is a WordPress backup and recovery management plugin developed by quantumrose and distributed via Common Ninja. While not among the most widely deployed backup plugins, it is designed to provide one-click restoration and backup management for WordPress sites. The plugin is currently in beta and has a limited maintenance and update history.
Technical Information
CVE-2025-10726 is a critical SQL injection vulnerability that arises from improper handling of the data[id] parameter in the WPRecovery plugin. All versions up to and including 2.0 are affected. The vulnerable code path is present in the plugin's backup deletion logic, specifically in files such as delete_backup.php and related SQL query construction routines.
The root cause is the direct insertion of user-supplied data[id] input into SQL queries without sufficient escaping or use of prepared statements. This allows unauthenticated attackers to inject arbitrary SQL commands. The result of the SQL query is then passed directly to PHP's unlink() function, which is used to delete files from the server. By manipulating the SQL injection payload, attackers can control the file path argument to unlink(), enabling deletion of any file the web server process can access.
Relevant public code references:
No patch or official fix is available as of publication. The vulnerability is unauthenticated and can be exploited remotely.
Affected Systems and Versions
- Product: WPRecovery WordPress plugin
- Versions affected: All versions up to and including 2.0
- Vulnerable configuration: Any WordPress installation with WPRecovery plugin version 2.0 or earlier enabled
Vendor Security History
WPRecovery is developed by quantumrose and distributed via Common Ninja. The plugin is in beta and has a limited maintenance and update history. There are no prior high-profile vulnerabilities documented for this plugin. The lack of a patch and the beta status indicate a low level of security maturity and responsiveness.
