CVE-2025-10579 is a vulnerability classified under CWE-862 (Missing Authorization) found in the BackWPup – WordPress Backup & Restore Plugin, widely used for backing up WordPress sites. The flaw arises from the absence of a proper capability check on the 'backwpup_working' AJAX action, which is accessible to any authenticated user with Subscriber-level privileges or higher. This action reveals the filename of a backup file while a backup operation is in progress. Although the filename alone does not directly expose backup contents, it can be leveraged by attackers to mount brute force attacks against backup files, particularly in environments where web server configurations (e.g., NGINX) might allow such attempts. The vulnerability affects all versions up to and including 5.5.0 of the plugin. Exploitation requires authentication but no additional user interaction, and the attack vector is network-based. The CVSS v3.1 score is 5.3, indicating medium severity, with high impact on confidentiality but no impact on integrity or availability. No public exploits have been reported yet, but the vulnerability's presence in a popular WordPress plugin makes it a relevant concern for website administrators. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for interim mitigations.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality of backup data. Organizations relying on the BackWPup plugin for WordPress site backups could have sensitive backup filenames exposed to low-privileged authenticated users, such as subscribers or contributors. This exposure could facilitate targeted brute force attacks to retrieve backup contents, potentially leading to data leakage of website content, configuration, or user data. The impact is more pronounced for organizations with limited web server protections or those using NGINX configurations susceptible to brute force attacks on backup files. Since WordPress powers a significant portion of European websites, including small and medium enterprises, NGOs, and public sector sites, the risk of data exposure is non-trivial. However, the requirement for authenticated access limits the attack surface to users who already have some level of access, reducing the likelihood of external attackers exploiting this vulnerability directly. Nonetheless, insider threats or compromised low-privilege accounts could leverage this flaw to escalate data exposure.

European organizations should immediately verify if their WordPress installations use the BackWPup plugin version 5.5.0 or earlier and plan to upgrade to a patched version once available. In the absence of an official patch, administrators should restrict access to the WordPress backend to trusted users only and review user roles to minimize the number of accounts with Subscriber-level or higher privileges. Implementing strict web server rules to prevent unauthorized access to backup files, such as denying direct HTTP access to backup directories or files, is critical. Additionally, monitoring and logging AJAX requests to detect unusual access patterns to the 'backwpup_working' action can help identify exploitation attempts. Employing multi-factor authentication (MFA) for all WordPress users reduces the risk of account compromise. Finally, consider temporarily disabling the BackWPup plugin if backups can be managed through alternative secure methods until a fix is released.