CVE-2025-10579 is a vulnerability classified under CWE-862 (Missing Authorization) found in the BackWPup – WordPress Backup & Restore Plugin, a popular WordPress plugin used for backing up and restoring website data. The flaw exists because the plugin fails to enforce proper capability checks on the 'backwpup_working' AJAX action endpoint. This endpoint is intended to provide status information about ongoing backups. However, due to the missing authorization, any authenticated user with at least Subscriber-level privileges can invoke this AJAX action and retrieve the filename of the backup currently being created. While the filename itself does not directly expose sensitive data, it can be leveraged by attackers to mount brute force attacks against backup files, particularly in web server environments like NGINX where certain access controls might be bypassed or misconfigured. The vulnerability affects all versions of the plugin up to and including 5.5.0. The CVSS v3.1 base score is 5.3, reflecting medium severity, with the vector indicating network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, and no impact on integrity or availability. No patches or exploits are currently publicly available, but the vulnerability’s presence in a widely used plugin makes it a notable risk. The flaw highlights the importance of enforcing strict authorization checks on AJAX endpoints that expose operational data. Without such checks, even low-privileged users can gain information that aids further attacks.

The primary impact of this vulnerability is unauthorized disclosure of backup filenames, which compromises confidentiality. While the filename alone is not highly sensitive, it can serve as a stepping stone for attackers to attempt brute force or other attacks to access backup contents, potentially exposing sensitive website data, including user information, configuration files, or proprietary content. This risk is heightened in environments where web server configurations (e.g., NGINX) might allow easier access to backup files once their names are known. Organizations relying on the BackWPup plugin for backup management may face increased risk of data leakage, especially if attackers can escalate privileges or exploit other vulnerabilities in conjunction. The vulnerability does not affect data integrity or availability directly, but the potential exposure of backups could lead to reputational damage, compliance violations, and increased attack surface. Given WordPress’s widespread use globally, the threat could impact a broad range of organizations, from small businesses to large enterprises and hosting providers. The medium severity rating reflects the moderate risk posed by the vulnerability, balancing the limited direct impact with the ease of exploitation by low-privileged authenticated users.

To mitigate this vulnerability, organizations should immediately update the BackWPup plugin to a patched version once available. In the absence of an official patch, administrators can implement the following specific measures: 1) Restrict access to the 'backwpup_working' AJAX action by adding custom capability checks in the plugin code or via WordPress hooks to ensure only trusted roles (e.g., Administrator) can invoke it. 2) Harden web server configurations (especially NGINX) to prevent unauthorized access to backup files, including restricting directory listings and enforcing strict file access permissions. 3) Monitor user roles and minimize the assignment of Subscriber or other low-privilege accounts to untrusted users to reduce the attack surface. 4) Employ Web Application Firewalls (WAFs) to detect and block suspicious AJAX requests targeting the vulnerable endpoint. 5) Regularly audit backup storage locations and access logs for unusual activity. 6) Educate site administrators about the risks of exposing backup information and the importance of timely plugin updates. These targeted actions go beyond generic advice by focusing on the specific vulnerable endpoint and the operational context of the plugin.