Introduction
A missing authorization check in the Database Backup for WordPress plugin allows unauthenticated attackers to silently redirect scheduled database backups to publicly accessible directories and then download the resulting SQL dump, which contains database credentials, password hashes, and personally identifiable information. With a CVSS score of 7.5 and a predictable filename scheme that makes interception reliable, this is a vulnerability that WordPress administrators running scheduled backups need to address promptly.
The Database Backup for WordPress plugin, maintained by Delicious Brains, provides a straightforward way for site administrators to back up core WordPress database tables and either download them or receive them via email. It has been a long standing utility in the WordPress plugin ecosystem. The flaw tracked as CVE 2026 4031 affects all versions of the plugin up to and including 2.5.2.
Technical Information
Root Cause: Missing Authorization on Directory Parameter (CWE 862)
The vulnerability originates from the plugin's handling of the wp_db_temp_dir parameter. This parameter controls the filesystem path where database backup files are written during the backup process. Prior to version 2.5.3, the plugin accepted wp_db_temp_dir as a GET request parameter without performing any authentication or authorization checks. There was no verification that the requester held administrative privileges or even that the request came from an authenticated user at all.
This means any unauthenticated visitor could influence where the plugin stored its backup output simply by including the parameter in a request.
Attack Flow
The exploitation of CVE 2026 4031 follows a clear sequence:
-
Reconnaissance: The attacker identifies a WordPress site running the Database Backup for WordPress plugin (versions up to 2.5.2) with scheduled backups configured. The scheduled backup requirement is a precondition for exploitation.
-
Directory Poisoning: The attacker sends a crafted request to
wp-cron.phpwith a poisonedwp_db_temp_dirvalue pointing to a publicly accessible directory on the web server, such aswp-content/uploads/. -
Backup Trigger: If a scheduled backup is due to run (WordPress cron jobs execute when triggered by page loads or direct requests to
wp-cron.php), the plugin writes the full database export to the attacker controlled directory instead of its intended, protected location. -
Filename Prediction: The legacy filename generation scheme used the database name, table prefix, date, and Swatch Internet Time. All of these components are either publicly discoverable (the default WordPress table prefix is
wp_, and the database name can sometimes be inferred) or calculable (date and Swatch Internet Time are deterministic). This allows the attacker to construct the exact filename of the backup. -
Interception: The attacker requests the predicted filename from the public directory (e.g.,
https://target.com/wp-content/uploads/[predicted_filename].sql) and downloads the complete database dump before the plugin's cleanup routine removes it.
What Gets Exposed
A successful exploitation yields the entire WordPress database export, which typically includes:
- Database credentials stored in configuration tables
- User password hashes from the
wp_userstable - Personally identifiable information including email addresses, usernames, and any data stored by plugins (e.g., WooCommerce orders, form submissions)
- WordPress secret keys and salts if stored in the database
- All post content, comments, and site configuration
How the Fix Works
The patch in version 2.5.3 addresses the vulnerability through three changes:
-
Parameter removal: The code that processed the
wp_db_temp_dirGET parameter was removed entirely, eliminating the ability for external requests to influence the backup directory. -
Cryptographic filename randomness: The filename generation was updated to include a 12 character cryptographic nonce generated by
wp_generate_password( 12, false ), making the resulting filename effectively impossible to predict. -
Authorization enforcement: Strict
can_user_backup()authorization checks were added before the backup process can be initialized, ensuring only authorized users can trigger or influence backups.
Affected Systems and Versions
- Plugin: Database Backup for WordPress (wp-db-backup)
- Affected versions: All versions up to and including 2.5.2
- Fixed version: 2.5.3 (released April 20, 2026)
- Precondition: The site administrator must have configured scheduled backups for the vulnerability to be exploitable
Vendor Security History
Delicious Brains released version 2.5.3 to address not just CVE 2026 4031 but a cluster of three unauthenticated vulnerabilities discovered by security researcher Drew Webber:
| CVE ID | Description | Fixed In |
|---|---|---|
| CVE 2026 4029 | Missing Authorization to Unauthenticated Database Export | 2.5.3 |
| CVE 2026 4030 | Missing Authorization to Unauthenticated Arbitrary File Read and Deletion | 2.5.3 |
| CVE 2026 4031 | Missing Authorization to Unauthenticated Database Backup Interception | 2.5.3 |
The fact that three separate unauthenticated access vulnerabilities were patched simultaneously suggests a systemic gap in the plugin's authorization model that existed prior to this coordinated fix. The vendor's willingness to address all reported issues in a single release is a positive indicator of their response to security disclosures.
References
- Wordfence Threat Intel Advisory for CVE 2026 4031
- WordPress Plugin Changeset 3510595 (Patch Diff)
- Vulnerable Source: wp-db-backup.php (v2.5.2, Line 121)
- Patched Source: wp-db-backup.php (trunk, Line 121)
- Patched Source: wp-db-backup.php (trunk, Line 85)
- Patched Source: wp-db-backup.php (trunk, Line 961)
- Patched Source: wp-db-backup.php (trunk, Line 1568)
- GitHub: Delicious Brains wp-db-backup
- Feedly CVE 2026 4031 Tracking



