CVE-2025-10307 is a path traversal vulnerability (CWE-22) found in the WordPress plugin Backuply – Backup, Restore, Migrate and Clone, developed by Softaculous. This vulnerability affects all versions up to and including 1.4.8. The flaw arises from insufficient validation of file paths in the plugin's delete backup functionality. Specifically, authenticated users with Administrator-level privileges or higher can exploit this weakness to delete arbitrary files on the web server by manipulating the file path parameter. Because the plugin does not properly restrict the pathname to a safe directory, attackers can traverse directories and target critical files outside the intended backup folders. The deletion of sensitive files such as wp-config.php, which contains database credentials and configuration settings, can lead to severe consequences including remote code execution (RCE). The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector metrics highlight that the attack can be performed remotely over the network (AV:N), requires low attack complexity (AC:L), but needs high privileges (PR:H) and no user interaction (UI:N). The impact on confidentiality is none, but integrity and availability are highly impacted due to arbitrary file deletion. No known exploits are currently reported in the wild. The vulnerability was published on September 26, 2025, and is assigned by Wordfence. No official patches or updates are linked yet, so mitigation relies on administrative controls and monitoring. This vulnerability is particularly dangerous because it leverages legitimate administrative access, making detection more difficult and increasing the risk of destructive actions on the server environment hosting WordPress sites using this plugin.

For European organizations, this vulnerability poses a significant risk especially for those relying on WordPress sites with the Backuply plugin installed. The ability for an authenticated administrator to delete arbitrary files can disrupt business operations by causing site outages, data loss, or corruption of critical configuration files. This can lead to downtime, loss of customer trust, and potential regulatory non-compliance, particularly under GDPR where data integrity and availability are important. Additionally, the potential for remote code execution following file deletion elevates the threat to a critical level, as attackers could gain persistent control over web servers, leading to data breaches or lateral movement within corporate networks. Organizations in sectors such as e-commerce, finance, healthcare, and government, which often use WordPress for public-facing websites, are at higher risk. The medium CVSS score may underestimate the real-world impact if the attacker leverages this vulnerability as a stepping stone for further exploitation. Since the attack requires administrator privileges, the threat is mitigated somewhat by internal access controls, but insider threats or compromised admin accounts remain a concern. The lack of known exploits in the wild suggests this is a newly disclosed vulnerability, so proactive patching and monitoring are critical to prevent exploitation.

1. Immediately audit all WordPress installations for the presence of the Backuply plugin and verify the version in use. 2. Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce risk of credential compromise. 3. Until an official patch is released, consider disabling or uninstalling the Backuply plugin to eliminate the attack vector. 4. Implement file integrity monitoring on critical files such as wp-config.php and other configuration files to detect unauthorized deletions or modifications promptly. 5. Harden server permissions to limit the ability of the web server process to delete or modify files outside designated directories. 6. Monitor WordPress logs and server logs for unusual delete operations or suspicious activity by administrators. 7. Maintain regular backups stored offline or in immutable storage to enable recovery in case of file deletion or ransomware attacks. 8. Stay updated with vendor advisories and apply patches as soon as they become available. 9. Conduct security awareness training for administrators to recognize and report suspicious activities. 10. Employ web application firewalls (WAFs) with rules that can detect and block path traversal attempts, although this is less effective against authenticated users.