CVE-2025-10307 is a path traversal vulnerability classified under CWE-22 found in the Backuply – Backup, Restore, Migrate and Clone plugin for WordPress. This vulnerability arises from improper validation of file paths in the plugin's delete backup functionality, allowing an authenticated attacker with Administrator-level privileges to delete arbitrary files on the hosting server. Since the plugin does not properly restrict pathname traversal sequences, an attacker can craft requests to delete files outside the intended backup directories. Critical files such as wp-config.php, which contains database credentials and configuration settings, can be targeted. Deletion of such files can disrupt website availability and potentially enable remote code execution if attackers replace or manipulate files afterward. The vulnerability affects all versions up to and including 1.4.8. Exploitation requires authentication with high privileges but no additional user interaction. The CVSS v3.1 base score is 6.5, reflecting medium severity due to the high impact on integrity and availability but limited attack vector and privilege requirements. No patches or known exploits are currently reported, but the risk remains significant for sites using this plugin without mitigation.

The primary impact of CVE-2025-10307 is the potential for arbitrary file deletion on affected servers, which can severely compromise website integrity and availability. Deleting critical WordPress files such as wp-config.php can cause site outages, data loss, and configuration corruption. This may also open avenues for remote code execution if attackers replace or manipulate files after deletion, leading to full server compromise. Organizations relying on Backuply for backup and migration risk losing backups and critical data, impacting disaster recovery capabilities. The requirement for Administrator-level access limits exploitation to trusted insiders or compromised admin accounts, but insider threats or credential theft could enable attacks. The vulnerability can disrupt business continuity, damage reputation, and incur recovery costs. Given WordPress's widespread use globally, the threat affects a broad range of organizations, especially those with limited security monitoring or patch management.

To mitigate CVE-2025-10307, organizations should immediately upgrade the Backuply plugin to a version that addresses this vulnerability once available. Until a patch is released, restrict Administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. Implement web application firewalls (WAFs) with rules to detect and block path traversal attempts targeting the plugin's delete backup functionality. Regularly audit and monitor file integrity on WordPress servers to detect unauthorized deletions or modifications, focusing on critical files like wp-config.php. Backup critical data frequently and store backups offline or in isolated environments to prevent tampering. Additionally, consider limiting plugin usage or replacing Backuply with alternative backup solutions that have a stronger security track record. Review server and WordPress logs for suspicious activity related to backup deletion requests. Employ the principle of least privilege by minimizing the number of users with Administrator rights.