The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin contains a vulnerability identified as CVE-2025-10304, classified under CWE-862 (Missing Authorization). The flaw exists in the process_status_unlink() function, which lacks proper capability checks, allowing unauthenticated attackers to invoke this function and delete backup progress files during an active backup operation. This deletion disrupts the backup process, causing it to fail and potentially leaving systems without recent backups. The vulnerability affects all versions up to and including 2.3.8. The CVSS v3.1 base score is 5.3, indicating medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact is limited to integrity, as confidentiality and availability are not directly compromised. No patches are currently linked, and no known exploits have been reported in the wild. The vulnerability is significant because backups are critical for disaster recovery and data protection, and disruption can delay recovery efforts or cause data loss if backups are not completed successfully. The plugin is used in WordPress environments, which are widely deployed across many organizations, increasing the potential attack surface.

For European organizations, this vulnerability poses a risk primarily to the integrity of backup operations. Organizations relying on Everest Backup for critical data protection may experience failed backups, leading to gaps in recovery points and increased risk of data loss in the event of ransomware or other destructive incidents. Although the vulnerability does not allow data theft or system takeover, the inability to complete backups can severely impact business continuity and compliance with data protection regulations such as GDPR, which require reliable data retention and recovery mechanisms. Organizations with automated backup schedules may not immediately detect backup failures caused by this exploit, increasing exposure time. The lack of authentication requirement means attackers can exploit this remotely without credentials, increasing risk especially for publicly accessible WordPress sites. The impact is more pronounced for sectors with stringent data protection needs, such as finance, healthcare, and government entities in Europe.

Immediate mitigation involves restricting access to the plugin’s backup-related endpoints, particularly the process_status_unlink() function, through web application firewalls (WAFs) or server-level access controls to prevent unauthenticated requests. Organizations should monitor backup logs for unexpected failures or deletions of backup progress files. Since no official patch is currently available, administrators should consider disabling the Everest Backup plugin temporarily if backups are critical and cannot be monitored effectively. Implementing network segmentation to isolate WordPress servers and limiting exposure to the internet can reduce attack surface. Once a patch is released, prompt application is essential. Additionally, organizations should maintain alternative backup solutions and verify backup integrity regularly to ensure recovery readiness. Security teams should also audit user permissions and plugin configurations to enforce least privilege principles.